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Abstract 

Writing correct distributed programs is hard. In spite of extensive testing and debugging, 
software faults persist even in commercial grade software. Many distributed systems, especially 
those employed in safety-critical environments, should be able to operate properly even in the 
presence of software faults. Monitoring the execution of a distributed system, and, on detecting 
a fault, initiating the appropriate corrective action is an important way to tolerate such faults. 
This gives rise to the predicate detection problem which requires finding a consistent cut of a 
given computation exists that satisfies a given global predicate, if it exists. 

Detecting a predicate in a computation is, however, an NP-complctc problem in general. In 
order to ameliorate the associated combinatorial explosion problem, we introduce the notion 
of computation slice. Formally, the slice of a computation with respect to a predicate is a 
(sub)computation with the least number of consistent cuts that contains all consistent cuts of 
the computation satisfying the predicate. Intuitively, slice is a concise representation of those 
consistent cuts of a computation that satisfy a certain condition. To detect a predicate, rather 
than searching the state-space of the computation, it is much more efficient to search the state- 
space of the slice. 

We prove that the slice exists and is uniquely defined for all predicates. We present efficient 
algorithms for computing the slice for several useful classes of predicates. We establish that the 
problem of computing the slice for an arbitrary predicate is NP-complete in general. We develop 
efficient heuristic algorithms for computing an approximate slice for such predicates for which 
computing the slice is otherwise provably intractable. Our experimental results demonstrate that 
slicing can lead to an exponential improvement over existing techniques for predicate detection 
in terms of time and space. 

Key words: analyzing distributed computations, predicate detection, predicate control, global 
property evaluation, testing and debugging, software fault tolerance 
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1 Introduction 



Writing distributed programs is an error prone activity; it is hard to reason about them because 
they suffer from the combinatorial explosion problem. Software faults (bugs), in particular global 
faults, are caused by subtle interactions between various components of the system. As such, they 
may occur only for specific combinations of inputs and certain interleavings of events. This makes 
it difficult to eliminate them entirely using testing and debugging. In fact, in spite of extensive 
testing and debugging, software faults may persist even in commercial grade software. Many 
distributed systems, especially those employed in safety-critical environments, should be able to 
operate properly even in the presence of software faults. Monitoring the execution of a distributed 
system, and, on detecting a fault, initiating the appropriate corrective action is an important way 
to tolerate such bugs. 

A system for tolerating global faults will, in general, consist of three components: program 
tracing module, fault detection module, and fault recovery module. The program tracing module 
is responsible for recording the values of variables or objects being monitored (that is, on which 
the predicate depends) whenever they change. The fault detection module analyzes the trace to 
check for the possible occurrence of a fault. On detecting a fault, the fault recovery module takes 
the necessary corrective measure to recover from the fault. It could involve halting the program 
execution, or resetting the values of variables, or rolling back the execution of the program to a 
consistent cut before the fault followed by replay (or retry), possibly under control. The ability to 
detect global faults is therefore an important step in tolerating them. In this paper, we focus on 
detecting those faults that can be expressed as predicates on variables of processes. For example, 
"no process has the token" can be written as noJ,oken\f\no_token2f\- ■ ■ f\noJ,oken n , where no-tokeni 
denotes the absence of token on process pi. This gives rise to the predicate detection problem, which 
involves finding a consistent cut of a distributed computation, if it exists, that satisfies the given 
global predicate. (This problem is also referred to as detecting a predicate under possibly modality 
in the literature.) Predicate detection problem also arises in other areas in distributed systems 
such as testing and debugging, for example, to set conditional breakpoints. 

Detecting a predicate in a computation is a hard problem in general |Gar02bl ISS951 IMGOlbj . 
The reason is the combinatorial explosion in the number of possible consistent cuts. Given n 
processes each with at most k local states, the number of possible consistent cuts in the computation 
could be as large as 0(k n ). Finding a consistent cut that satisfies the given predicate may, therefore, 
require looking at a large number of consistent cuts. In fact, we prove in |MG01b| that detect 
a predicate in 2-CNF (conjunctive normal form), even when no two clauses contain variables from 
the same process, is an NP-complete problem, in general. An example of such a predicate is: 
(x\ V X2) A (a?3 V X4) A • • • A (x ra _i V x n ), where each X{ is a boolean variable on process pi. 

The approaches for solving the predicate detection problem can be divided into three categories. 
The first approach involves repeatedly computing global snapshots of the computation until the 
given predicate becomes true |GL851 lBou871 l5K86j . This approach works only for stable predicates, 
that is, predicates that stay true once they become true. Some examples of stable predicates 
are termination and deadlock. The given predicate may not be stable and may turn true only 
between two successive snapshots. The second approach is based on searching the state-space of 
the computation. This approach involves incrementally building the lattice corresponding to the 
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Figure 1: (a) A computation and (b) its slice with respect to (x\ ^ 1) A (x^ 3). 

computation until the desired predicate turns true JCM911 I.) MM 951 ISUL001 lAVnij . Unlike the 
first approach, this approach can be used to detect unstable predicates. However, the algorithms 
based on this approach may have exponential running time. The third approach exploits the 
structure of the predicate itself — by imposing restrictions — to evaluate its value efficiently for a 
given computation. Polynomial-time algorithms have been developed for several useful classes of 
predicates including conjunctive predicates |Gar02b( IHMKS96] . linear and semi- linear predicates 
|CG98j . and relational predicates |CG95j . 

We develop the computation slicing technique for reducing the size of the computation and 
therefore the number of consistent cuts to be analyzed for detecting a predicate. The slice of 
a computation with respect to a predicate is the (sub) computation satisfying the following two 
conditions. First, it contains all consistent cuts for which the predicate evaluates to true. Second, 
among all computations that fulfill the first condition, it contains the least number of consistent 
cuts. Intuitively, slice is a concise representation of consistent cuts satisfying a given property. We 
establish that the slice exists and is uniquely defined for all predicates. Since we expect global 
faults to be relatively rare, their slice will be much smaller — exponentially in many cases — than 
the computation itself. Therefore, in order to detect a global fault, rather than searching the 
state-space of the computation, it is much more efficient to search the state-space of the slice. 

As an illustration, suppose we want to detect the predicate (x\*X2+x^ < 5) A(xi ^ 1) A(x3 ^ 3) 
in the computation shown in Figure ^a). The computation consists of three processes pi, p2 and 
P3 hosting integer variables xi, x<i and x%, respectively. The events are represented by circles. 
Each event is labeled with the value of the respective variable immediately after the event is 
executed. For example, the value of variable x\ immediately after executing the event c is — 1. 
The first event on each process initializes the state of the process and every consistent cut contains 
these initial events. Without computation slicing, we are forced to examine all consistent cuts 
of the computation, twenty eight in total, to ascertain whether some consistent cut satisfies the 
predicate. Alternatively, we can compute the slice of the computation with respect to the predicate 
(x\ ^ 1) A (x3 ^ 3) as portrayed in Figure ^b). A slice is modeled by a directed graph. Each 
vertex of the graph corresponds to a meta-event, which is a subset of events. If a vertex is contained 
in a consistent cut, it means that all events corresponding to the vertex are contained in the cut. 
Moreover, a vertex belongs to a consistent cut only if all its incoming neighbours are also present 
in the cut. We can now restrict our search to the consistent cuts of the slice which are only six in 
number, namely {a, e, /, u, v}, {a, e, /, u, v, b}, {a, e, /, u, v, w}, {a, e, /, u, v, b, w}, {a, e, /, u, v, w, g} 



and {a,e, f,u,v,b,w, g}. The slice has much fewer consistent cuts than the computation itself — 
exponentially smaller in many cases — resulting in substantial savings. 

The slice for a predicate may contain consistent cuts that do not satisfy the predicate. We 
identify a class of predicates called regular predicates for which the slice is lean. In other words, 
the slice for a regular predicate contains precisely those consistent cuts for which the predicate 
evaluates to true. The set of consistent cuts satisfying a regular predicate forms a sublattice (of 
the lattice of consistent cuts). Some examples of regular predicates are: conjunctive predicates, 
which can be expressed as conjunction of local predicates, like "all processes are in red state" 
|Gar02b| . and monotonic channel predicates such as "all control messages have been received" 
|Gar02b| . We prove that the class of regular predicates is closed under conjunction, that is, the 
conjunction of two regular predicates is also a regular predicate. We devise an efficient algorithm 
to compute the slice for a regular predicate. The time-complexity of the algorithm is 0(n 2 \E\), 
where n is the number of processes and E is the set of events. In case the regular predicate can 
be decomposed into a conjunction of clauses, where each clause itself is a regular predicate but 
depends on variables of only a small subset of processes, a faster algorithm for computing the slice 
can be provided. Also, for special cases of regular predicates such as conjunctive predicates and 
certain monotonic channel predicates, we provide optimal algorithms for computing the slice, which 
have 0(| E |) time-complexity. 

In addition to regular predicates, we also design efficient algorithms to compute the slice for 
many classes of non-regular predicates such as linear predicates and post-linear predicates |Gar02bj . 
Our algorithms have time-complexity of 0(n 2 \E\). We prove that it is intractable in general to 
compute the slice for an arbitrary predicate. Nonetheless, it is still useful to be able to compute 
an approximate slice for such a predicate efficiently. An approximate slice may be bigger than the 
actual slice but will be much smaller than the computation itself. To that end, we develop efficient 
algorithms to compose two slices. Specifically, given two slices, composition* involves computing 
either (1) the smallest slice that contains all consistent cuts common to both the slices, or (2) the 
smallest slice that contains all consistent cuts that belong to at least one of the slices. We use slice 
composition to efficiently compute the slice for a co-regular predicate — the complement of a regular 
predicate — and a k -local predicate — depends on variables of at most k processes — for constant k 
SS95J. The algorithms have time-complexities of 0(n 2 \E\ 2 ) and 0(nm k ~ l \E\), respectively, where 
m is the maximum number of events on a process. More importantly, we use slice composition 
to compute an approximate slice — in polynomial-time — for a predicate derived from regular and 
co-regular predicates, linear and post-linear predicates, and /c-local predicates for constant k, using 
-i, A and V operators. Example of such a predicate is: {x\ V -1X2) A (2:3 V -ixi) A (X2 V X3), where 
each xi is a linear predicate. Finally, we conduct simulation tests to experimentally measure the 
effectiveness of computation slicing in pruning the search space when detecting a global fault. Our 
results indicate that slicing can lead to an exponential improvement over existing techniques in 
terms of time and space. Furthermore, other techniques for reducing the time-complexity |SUL00j 
and/or the space-complexity |AV01j are orthogonal to slicing, and as such can actually be used in 
conjunction with slicing. For instance, Alagar and Venkatesan's polynomial space algorithm |AV01j 
for searching the state-space of a computation can also be used for searching the state-space of a 

* Composition was called grafting in our earlier paper IMCOlal 
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slice. 

Although, in this paper, we focus on application of slicing to predicate detection, slicing can 
be employed to reduce the search-space when monitoring a predicate under other modalities as 
well including definitely, invariant and controllable }GM911 IGar02bl IBFR961 IMGOOj . We also 
show that many results pertaining to consistent global checkpoints can be derived as special cases 
of slicing. In particular, we furnish an alternate characterization of the condition under which 
individual local checkpoints can be combined with others to form a consistent global checkpoint 
(consistency theorem by Netzer and Xu |JNI-X.95| ): a set of local checkpoints can belong to the same 
consistent global snapshot if and only if the local checkpoints in the set are mutually consistent 
(including with itself) in the slice. Moreover, the R-graph (rollback-dependency graph) defined 
by Wang |Wan97j is a special case of the slice. The minimum and maximum consistent global 
checkpoints that contain a set of local checkpoints |Wan97j can also be easily obtained using the 
slice. We have recently applied slicing to solve several problems in combinatorics as well |Gar02a| . 

Parts of this paper have appeared earlier in conference proceedings [GM011 iMGOlal IMG03j . 
This paper combines results of the above papers in a single uniform framework. Preliminary 
versions of Sectional Section ETT1 and Section [7TI first appeared in |GM01j . In this paper, we have 
generalized the model of slice used in |GM01| from a partially ordered set (poset) on meta-events 
to a general directed graph on events. Also, parts of Section 0] including Lemma [21 and Theorem 
are new and did not appear in |GM01j . Preliminary versions of Section f5. 21 Sectional Sections 17.31 
and 17.41 and Sections 18 .31 18 .41 and 18. 61 first appeared in |MG01a| . Part of Section 18, 41 involving time- 
complexity analysis — which follows Theorem 1321 — is new and did not appear in |MG01aj . Further, 
we have rewritten proofs of various lemmas and theorems including Lemma 1271 Theorem |2H1 and 
Theorem 1321 Finally, preliminary versions of Sections 18.21 18.51 and 18.71 first appeared in |MG03| . 
We also gave a brief sketch of the algorithm described in Section [7.21 in |MG03j . However, details 
of the algorithm and its proof of correctness were not provided due to lack of space. 

The paper is organized as follows. Section [21 describes our model of distributed system and the 
notation we use in this paper. We formally define the notion of computation slice in Section In 
Section [IJ we introduce the class of regular predicates, using which we establish the existence and 
uniqueness of slice for all predicates in Section [SJ Section El describes an efficient representation 
for slice. In Section [7| and Section [HI we discuss our results pertaining to regular predicates and 
general predicates, respectively. Finally, in Section [51 we describe our recent results in slicing and 
applications of slicing to solving problems in combinatorics. 

2 Model and Notation 

Traditionally, a distributed computation is modeled as a partial order on a set of events |Lam78j . 
In this paper, we relax the restriction that the order on events must be a partial order. Instead, 
we use directed graphs to model distributed computations as well as slices. Directed graphs allow 
us to handle both of them in a uniform and convenient manner. 

Given a directed graph G, let V(G) and E(G) denote its set of vertices and edges, respectively. 
A subset of vertices of a directed graph forms a consistent cut if the subset contains a vertex only 
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if it also contains all its incoming neighbours. Formally, 

C is a consistent cut of G = (Ve, / G V(G) : (e, /) G E(G) : / G C => e G C) 

Observe that a consistent cut either contains all vertices in a cycle or none of them. This 
observation can be generalized to a strongly connected component. Traditionally, the notion of 
consistent cut (down-set or order ideal) is defined for partially ordered sets |DP90j . Here, we 
extend the notion to sets with arbitrary orders. Let C(G) denote the set of consistent cuts of a 
directed graph G. Observe that the empty set and the set of vertices V(G) trivially belong to 
C(G). We call them trivial consistent cuts. Let V(G) denote the set of pairs of vertices (u,v) such 
that there is a path from u to v in G. We assume that each vertex has a path to itself. 

2.1 Directed Graph: Path- and Cut-Equivalence 

c 

A directed graph G is cut- equivalent to a directed graph H, denoted by G = H, if they have the 

c 

same set of consistent cuts. Formally, G = H = C(G) = C(H). 

p 

Likewise, a directed graph G is path- equivalent to a directed graph H, denoted by G = H, if a 

path from vertex u to vertex v in G implies a path from vertex u to vertex v in H and vice versa. 
P 

Formally, G = H = V(G) = V(H). The next lemma explores the relation between the two 
notions. 

Lemma 1 Let G and H be directed graphs with the same set of vertices. Then, 

T{G) C V(H) = C(G) 2 C{H) 

Evidently, Lemma Q implies that two directed graphs are cut-equivalent if and only if they are 

path-equivalent. In other words, to determine whether two directed graphs are cut-equivalent, it 

is necessary and sufficient to ascertain that they are path-equivalent. This is significant because, 

whereas path-equivalence can be verified in polynomial-time (l'P(G)l = 0(\\/(G)\ 2 )), cut-equivalence 

is computationally expensive to ascertain in general = 0(2^( G ^)). In the rest of the paper, 

C P 

we use = to denote both = and =. 

2.2 Distributed Computation as Directed Graph 

A distributed computation (or simply a computation) (E, — ►) is a directed graph with vertices as 
the set of events E and edges as — >. To limit our attention to only those consistent cuts that can 
actually occur during an execution, we assume that V((E,—*)) contains at least the Lamport's 
happened-before relation |Lam78j . A distributed computation in our model can contain cycles. 
This is because whereas a computation in the traditional or happened-before model captures the 
observable order of execution of events, a computation in our model captures the set of possible 
consistent cuts. Intuitively, each strongly connected component of a computation can be viewed as 
a meta-event; all events in a meta-event should be executed atomically. 

We denote the set of processes in the system by P = {pi,P2, ■ ■ ■ ,Pn}- For an event e, let proc(e) 
denote the process on which e occurs. The predecessor and successor events of e on proc(e) are 
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denoted by pred(e) and succ(e), respectively, if they exist. When events e and / occur on the same 
process and e occurs before / in real-time, then we write e — ► /. Let ^> denote the reflexive closure 
of A 

We assume the presence of fictitious initial and final events on each process. The initial event 
on process pi, denoted by _Lj, occurs before any other event on pi. Likewise, the final event on 
process pi, denoted by Tj, occurs after all other events on pi. For convenience, let _L and T denote 
the set of all initial events and final events, respectively. We assume that all initial events belong 
to the same strongly connected component. Similarly, all final events belong to the same strongly 
connected component. This ensures that any non-trivial consistent cut will contain all initial events 
and none of the final events. As a result, every consistent cut of a computation in the traditional 
model is a non-trivial consistent cut of the corresponding computation in our model and vice versa. 
Only non-trivial consistent cuts are of real interest to us. As we will see later, the extended model 
allows us to capture empty slices in a very convenient fashion. 

The frontier of a consistent cut C, denoted by frontier (C), is defined as the set of those events 
in C whose successors are not in C . Formally, 

frontier(C) = {eeC|e0T=^ succ(e) C } 

A consistent cut passes through an event if the event belongs to the frontier of the cut. Two 
events are said to be consistent if they are contained in the frontier of some consistent cut, otherwise 
they are inconsistent. It can be verified that events e and / are consistent if and only if there is no 
path in the computation from succ(e), if it exists, to / and from succ(f), if it exists, to e. Note 
that, in the extended model, in contrast to the traditional model, an event can be inconsistent with 
itself. 

2.3 Global Predicate 

A global predicate (or simply a predicate) is defined as a boolean-valued function on variables of 
processes. Given a consistent cut, a predicate is evaluated with respect to the values of variables 
resulting after executing all events in the cut. If a predicate b evaluates to true for a consistent cut 
C, we say that "C satisfies b" . We leave the predicate undefined for the trivial consistent cuts. 

A global predicate is local if it depends on variables of a single process. Note that it is possible 
to evaluate a local predicate with respect to an event on the appropriate process. In case the 
predicate evaluates to true, the event is called a true event; otherwise, it is called a false event. 
Further, a predicate is said to be k-local if it depends on variables of at most k processes |SS95j . 
For example, suppose x% is an integer variable on process pi for each i £ [1 . . . n\. Then, x\ +X2 < 3 
is an example of 2-local predicate, and x\ * x% + x% < 6 an example of 3-local predicate. 

3 Computation Slice 

Informally, a computation slice (or simply a slice) is a concise representation of all those consistent 
cuts of the computation that satisfy the predicate. Formally, 
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Definition 1 (slice) The slice of a computation with respect to a predicate is the smallest directed 
graph — with the least number of consistent cuts — that contains all consistent cuts of the given 
computation for which the predicate evaluates to true. 

We will later show that the notion of smallest directed graph in the definition is well-defined 
for every predicate. The slice of computation (E, — >) with respect to a predicate b is denoted by 
(E, —>){,. Note that (E, — ►) = (E, — >) trU e- In the rest of the paper, we use the terms "computation", 
"slice" and "directed graph" interchangeably. 

Note that every slice derived from the computation (E, — >) will have the trivial consistent cuts 
(0 and E) among its set of consistent cuts. Thus a slice is empty if it has no non-trivial consistent 
cuts. In the rest of the paper, unless otherwise stated, a consistent cut refers to a non-trivial 
consistent cut. In general, a slice will contain consistent cuts that do not satisfy the predicate 
(besides trivial consistent cuts). In case a slice does not contain any such cut, it is called lean. 
Formally, 

Definition 2 (lean slice) The slice of a computation with respect to a predicate is lean if every 
consistent cut of the slice satisfies the predicate. 

An interesting question to ask is: "For what class of predicates is the slice always lean?" To 
answer the question, we introduce the class of regular predicates next. 

4 Regular Predicate 

Informally, the set of consistent cuts that satisfy a regular predicate is closed under set intersection 
and set union. Formally, 

Definition 3 (regular predicate) A global predicate is called regular if, given two consistent 
cuts that satisfy the predicate, the consistent cuts given by their set intersection and set union also 
satisfy the predicate. Mathematically, given a regular predicate b and consistent cuts C\ and C2, 

(Ci satisfies b) A (C2 satisfies b) =4> (C\ n C2 satisfies b) A (C\ U C2 satisfies b) 

It can be verified that a local predicate is regular. Hence the following predicates are regular. 

• process pi is in "red" state 

• the leader has sent all "prepare to commit" messages 

We now provide more examples of regular predicates. Consider a function f(x,y) with two 
arguments such that it is monotonic in its first argument x but anti-monotonic in its second 
argument y. Some examples of the function / are: x — y, 3x — 5y, x/y when x,y > 0, and 
log y x when x,y ^ 1. We establish that the predicates of the form f(x,y) < c and f(x,y) ^ c, 
where c is some constant, are regular when either both x and y are monotonically non-decreasing 
variables or both x and y are monotonically non- increasing variables. 
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Lemma 2 Let x and y be monotonically non- decreasing variables. Then the predicates f(x,y) < c 
and f{x, y) ^ c are regular predicates. 

Proof: We show that the predicate f(x,y) < c is regular. The proof for the other predicate is 
similar and has been omitted. For a consistent C, let x(C) and y(C) denote the values of variables 
x and y, respectively, immediately after all events in C are executed. Consider consistent cuts C\ 
and C2 that satisfy the predicate f(x,y) < c. Note that, by definition of C\ n C2, y{C\ n C2) is 
either y(C\) or y(C2). Without loss of generality, assume that y(C\ n C2) = y(C\). Then, 

f(x(c 1 nc 2 ),y(c 1 nc 2 )) 

= { assumption } 

f{x(c 1 c\C 2 )MCi)) 

{x is monotonically non-decreasing implies x(C\ H C2) ^ x(C±), I 
and / is monotonic in x 

/(x(Ci),y(C7i)) 
< { C\ satisfies the predicate f(x,y) < c } 
c 

Thus CinC2 satisfies the predicate f(x,y) < c. Likewise, it can be proved that C1UC2 satisfies 
the predicate f(x, y) < c. □ 

It can be established that Lemma |2] holds even when both x and y are monotonically non- 
increasing variables. Similar results can be proved for the case when < and ^ are replaced by > 
and ^, respectively. The following theorem combines all the above-mentioned results. 

Theorem 3 Let f be a function with two arguments such that it is monotonic in its first argument 
and anti-monotonic in its second argument. Then the predicate of the form f(x,y) relop c, where 
relop € {<, ^, >, ^} and c is some constant, is regular when either both x and y are monotonically 
non- decreasing variables or both x and y are monotonically non-increasing variables. 

By substituting f(x,y) with x — y, x with "the number of messages that process pi has sent 
to process pj so far" and y with "the number of messages sent by process pi that process pj has 
received so far" , it can be verified that the following predicates are regular. 

• no outstanding message in the channel from process pi to process pj 

• at most k messages in transit from process pi to process pj 

• at least k messages in transit from process pi to process pj 

We next show that the conjunction of two regular predicates is also a regular predicate. 
Theorem 4 The class of regular predicates is closed under conjunction. 
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The proof is given in the appendix. The closure under conjunction implies that the following 
predicates are also regular. 

• any conjunction of local predicates 

• no process has the token and no channel has the token 

• every "request" message has been "acknowledged" in the system 

5 Establishing the Existence and Uniqueness of Slice 

In this section, we show that the slice exists and is uniquely defined for all predicates. Our approach 
is to first prove that the slice not only exists for a regular predicate, but is also lean. Using this 
fact we next establish that the slice exists even for a predicate that is not regular. 

5.1 Regular Predicate 

It is well known in distributed systems that the set of all consistent cuts of a computation forms a 
lattice under the subset relation |JZ881 IMat89j . We ask the question does the lattice of consistent 
cuts satisfy any additional property? The answer to this question is in affirmative. Specifically, we 
show that the set of consistent cuts of a directed graph not only forms a lattice but that the lattice 
is distributive. A lattice is said to be distributive if meet distributes over join |DP90j . Formally, 

a n (b U c) = (a n b) U (a n c) 

where n and U denote the meet (infimum) and join (supremum) operators, respectively. (It can 
be proved that meet distributes over join if and only if join distributes over meet.) 

Theorem 5 Given a directed graph G, (C(G); C) forms a distributive lattice. 

Proof: Let C\ and C 2 be consistent cuts of G. We define their meet and join as follows: 

C l n C 2 = Ci n C 2 

Ciuc 2 = Ci u c 2 

It is sufficient to establish that C\ n C 2 and C\ U C 2 are consistent cuts of G which can be easily 
verified. □ 

The above theorem is a generalization of the result in lattice theory that the set of down-sets 
of a partially ordered set forms a distributive lattice |DP90j . We further prove that the set of 
consistent cuts (of a directed graph) does not satisfy any additional structural property. To that 
end, we need the notion of join-irreducible element defined as follows. 

Definition 4 (join-irreducible element |DP90j ^ An element of a lattice is join-irreducible if 

(1) it is not the least element of the lattice, and (2) it cannot be expressed as join of two distinct 
elements, both different from itself. Formally, a G L is join-irreducible if 

(3 x :: x < a) A (V x, y 6 L : a = x U y : (a = x) V (a = y)) 
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Pictorially, an element of a lattice is join-irreducible if and only if it has exactly one lower 
cover, that is, it has exactly one incoming edge in the corresponding Hasse diagram. The notion of 
meet-irreducible element can be similarly defined. It turns out that a distributive lattice is uniquely 
characterized by the set of its join-irreducible elements. In particular, every element of the lattice 
can be written as join of some subset of its join-irreducible elements and vice versa. This is formally 
captured by the next theorem. 

Theorem 6 (Birkhoff's Representation Theorem for Finite Distributive Lattices 

| DP9 0j^ Let L be a finite distributive lattice and JX{V) be the set of its join-irreducible elements. 
Then the map f : L — ► C{JX{L)) defined by 

f(a) = {x€ JX(L) | x < a } 

is an isomorphism of L onto C{JI{L)). Dually, let P be a finite poset (partially ordered set). Then 
the map g : P — > JI{C(P)) defined by 

g(a) = {x£P\x^a} 

is an isomorphism of P onto JI{C{P)). 

Note that the above theorem can also be stated in terms of meet-irreducible elements. 

Example 1 Consider the computation shown in Figure |2fa) . Figure H{b) depicts the lattice of 
consistent cuts of the computation. In the figure, the label of a consistent cut indicates the number 
of events that have to be executed on each process to reach the cut. For example, the label of the 
consistent cut C is (3, 2, 1) implying that to reach C, three events have to executed on process p\, 
two on p2 and one on ^3. Mathematically, C = {ei, e2, es, f\, /2, gi}. 

In Figure E^b), the consistent cuts of the computation corresponding to the join-irreducible 
elements of the lattice have been drawn in thick lines. There are eight join-irreducible elements 
which is same as the number of strongly connected components of the computation. Note that 
the poset induced on the set of strongly connected components of the computation is isomorphic 
to the poset induced on the set of join-irreducible elements of the lattice. It can be verified that 
every consistent cut of the computation can be expressed as the join of some subset of these join- 
irreducible elements. For example, the consistent cut C can be written as the join of the consistent 
cuts T and V. Moreover, the join of every subset of these join-irreducible elements is a consistent 
cut of the computation. For instance, the join of the consistent cuts T, V and W is given by the 
consistent cut D. □ 

In this paper, we are concerned with only a subset of consistent cuts and not the entire set of 
consistent cuts. To that end, the notion of sublattice of a lattice comes in useful |DP90j . Given a 
lattice, a subset of its elements forms a sublattice if the subset is closed under the meet and join 
operators of the given lattice. In our case, the meet and join operators are set intersection and 
set union, respectively. Clearly, the set of consistent cuts satisfying a regular predicate forms a 
sublattice of the lattice of consistent cuts. Finally, we make an important observation regarding a 
sublattice which will help us prove the desired result. 
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(c) (d) 
i i : trivial consistent cut ^ ) : non-trivial consistent cut 

( ) : join-irreducible element ^ : consistent cut that satisfies the predicate 

Figure 2: (a) A computation, (b) the lattice of its consistent cuts, (c) the sublattice of the consistent 
cuts that satisfy the regular predicate "all channels are empty" , and (d) the poset induced on the 
set of join-irreducible elements of the sublattice. 

Lemma 7 ([DP90J) A sublattice of a distributive lattice is also a distributive lattice. 

Example 2 In Figure Efb), the consistent cuts for which the regular predicate "all channels are 
empty" evaluates to true have been shaded. Figure |^c) depicts the poset induced on these 
consistent cuts. It can be verified that the poset forms a sublattice of the lattice in Figure Hfb). 



12 



Moreover, the sublattice is, in fact, a distributive lattice. 



□ 



We now prove that the slice for a predicate is lean if and only if the predicate is regular. 

Theorem 8 The slice of a computation with respect to a predicate is lean if and only if the predicate 
is regular. 

Proof: (if) Assume that the predicate, say b, is regular. Thus the set of consistent cuts that 
satisfy the predicate, denoted by forms a sublattice of the lattice of consistent cuts (of the 
computation). Prom Lemma Cf, is in fact a distributive lattice. Let JT(C\f) denote the set 
of join-irreducible elements of From Birkhoff's Representation Theorem, Cb is isomorphic to 
C(JZ(Cb)). Thus the required slice is given by the poset induced on JT(Cb) by C. Moreover, every 
consistent cut of the slice satisfies the predicate and therefore the slice is lean. 

(only if) Assume that the slice of a computation with respect to a predicate is lean. From the proof 
of Theorem the set of consistent cuts of the slice is closed under set union and set intersection. 
This in turn implies that the set of consistent cuts that satisfy the predicate is closed under set 
union and set intersection. Thus the predicate is regular. □ 

Example 3 The sublattice shown in Figure Hfc) has exactly six join-irreducible elements, namely 
U, V, W, X, Y and Z. These elements (or consistent cuts) have been drawn in thick lines. It 
can be ascertained that every consistent cut in the sublattice can be written as the join of some 
subset of the consistent cuts in J = {U,V,W, X,Y, Z}. In other words, every consistent cut of 
the computation that satisfies the regular predicate "all channels are empty" can be represented 
as the join of some subset of the elements in J . Moreover, the join of every subset of elements 
in J yields a consistent cut contained in the sublattice and hence a cut for which "all channels 
are empty". The poset induced on the elements of J by the relation C is shown in Figure Efd). 
(Recall that each join- irreducible element corresponds to a strongly connected component, that is, 
a meta-event.) This poset corresponds to the slice of the computation shown in Figure [2f a) with 
respect to the regular predicate "all channels are empty" . □ 

5.2 General Predicate 

To prove that the slice exists even for a predicate that is not a regular predicate, we define a 
closure operator, denoted by reg, which, given a computation, converts an arbitrary predicate into 
a regular predicate satisfying certain properties. Given a computation (E, — >), let 7Z(E) denote the 
set of predicates that are regular with respect to the computation (— ► is implicit). 

Definition 5 (reg) Given a predicate b, we define reg (b) as the predicate that satisfies the 
following conditions: 

1. it is regular, that is, reg (b) 6 TZ(E), 

2. it is weaker than b, that is, b reg (b), and 
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Figure 3: (a) A computation, (b) the lattice of its consistent cuts, (c) the sublattice of its consistent 
cuts that satisfy reg [x\ V X2), and (d) its slice with respect to reg (xi V X2) (and therefore also with 
respect to x\ V X2). 

3. it is stronger than any other predicate that satisfies (1) and (2), that is, 
(V b' : b' e 11(E) : (b => b') => {reg (b) b')) . 

Informally, reg (6) is the strongest regular predicate weaker than b. In general, reg (b) not only 
depends on the predicate b, but also on the computation under consideration. We assume the 
dependence on computation to be implicit and make it explicit only when necessary. The next 
theorem establishes that reg (b) exists for every predicate b. Observe that the slice for b is given 
by the slice for reg (b). Thus slice exists and is uniquely defined for all predicates. 

Theorem 9 Given a predicate b, reg (b) exists and is uniquely defined. 

Proof: Let TZb(E) be the set of regular predicates in TZ(E) weaker than b. Observe that IZb(E) is 
non-empty because true is a regular predicate weaker than b and therefore contained in 1Z\,(E). We 
set reg (b) to the conjunction of all predicates in TZb(E). Formally, 

reg(b) = f\ q 

q£Tl b (E) 

It remains to be shown that reg (b) as defined satisfies the three required conditions. Now, 
condition (1) holds because the class of regular predicates is closed under conjunction. Condition (2) 
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holds because every predicate in IZb(E) is weaker than b and hence their conjunction is weaker than 
b. Finally, let b' be a predicate that satisfies conditions (1) and (2). Note that b' G TZb(E). Since 
conjunction of predicates is stronger than any of its conjunct, reg (b) is stronger than b'. Thus 
reg (b) satisfies condition (3). □ 

Thus, given a computation (E, — ►) and a predicate b, the slice of (E, — ►) with respect to b can 
be obtained by first applying reg operator to b to get reg (b) and then computing the slice of (E, — ►) 
with respect to reg (6). 

Example 4 Consider the computation depicted in Figure [Ja). The lattice of its consistent cuts is 
shown in Figure E(b). Each consistent cut is labeled with its frontier. The consistent cuts for which 
the predicate x\ V x 2 evaluates to true have been shaded in the figure. Clearly, the set of consistent 
cuts that satisfy x\ V X2 does not form a sublattice. The smallest sublattice containing the subset 
is shown in Figure |3{c); the sublattice corresponds to the predicate reg (x± V x 2 )- The slice for the 
regular predicate reg (x\ V X2) and hence for the predicate x\ V X2 is portrayed in Figure E^d). □ 

Theorem 10 reg is a closure operator. Formally, 

1. reg (b) is weaker than b, that is, b =^ reg(b), 

2. reg is monotonic, that is, (b b') (reg (b) reg(b')), and 

3. reg is idempotent, that is, reg (reg (b)) = reg(b). 

From the above theorem it follows that |DP90l Theorem 2.21], 

Corollary 11 (TZ(E);^) forms a lattice. 

The meet and join of two regular predicates b\ and b 2 is given by 

b x n b 2 = 61 A b 2 

61 U 62 — reg (bi V 62) 

The dual notion of reg(b), the weakest regular predicate stronger than b, is also conceivable. 
However, such a predicate may not always be unique. 

Example 5 In the previous example, three consistent cuts satisfy the predicate x\V x 2 , namely X, 
Y and Z, as shown in Figure Etb). Two distinct subsets of the set S = {X, Y, Z}, given by {X, Y} 
and {X, Z}, form maximal sublattices of S implying that there is no weakest regular predicate that 
is stronger than x\ V x 2 - □ 

6 Representing a Slice 

Any directed graph that is cut-equivalent to a slice constitutes a valid representation of the slice. 
However, for computational purposes, it is preferable to select those graphs to represent a slice that 
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have fewer edges and can be constructed cheaply. In this section, we show that every slice can be 
represented by a directed graph with 0(|-E|) vertices and 0(n\E\) edges. 

Consider a regular predicate b and a computation (E, — >) . Recall that C((E, — ►)&) denote the set 
of consistent cuts of (E, — >)&, or, in other words, the set of consistent cuts of (E, — >} that satisfy b. 
For reasons of clarity, we abbreviate C((E, — >)&) by Cb{E). From Birkhoff 's Representation Theorem, 
the poset induced on JX{Cb{E)) by the relation C is cut-equivalent to the slice (E, —>){,. It can be 
proved that \JT{Cb{E))\ is upper-bounded by \E\. Therefore the directed graph corresponding to 
(Jl(C b (E));Q may have n(\E\ 2 ) edges. 

In order to reduce the number of edges, we exploit properties of join-irreducible elements. For 
an event e, let Jb(e) denote the least consistent cut of (E,—>) that satisfies b and contains e. In 
case no consistent cut containing e that also satisfies b exists or when e G T, J&(e) is set to E — one 
of the trivial consistent cuts. Here, we use E as a sentinel cut. We first show that Jfe(e) is uniquely 
defined. Let i e be the predicate defined as follows: 

C satisfies i e = e G C 

It can be proved that i e is a regular predicate. Next, consider the predicate b e defined as the 
conjunction of b and i e . Since the class of regular predicates is closed under conjunction, b e is also 
a regular predicate. The consistent cut J b (e) can now be reinterpreted as the least consistent that 
satisfies b e . Since b e is regular, the notion of least consistent cut that satisfies b e is uniquely defined, 
thereby implying that Jb(e) is uniquely defined. For purposes of computing the slice only, we assume 
that both trivial consistent cuts satisfy the given regular predicate. That is, {®,E} C Cb(E). The 
next lemma establishes that </{,(e) is a join-irreducible element of Cb(E). 

Lemma 12 Jb(e) is a join-irreducible element of the distributive lattice {Cb(E); C) . 

Proof: Suppose Jb(e) can be expressed as the join (in our case, set union) of two consistent cuts 
in Cb(E), say C\ and C2. That is, Jfe(e) = C\ U C2, where both C\ and C2 satisfy b. Our obligation 
is to show that either Jfe(e) = C\ or Jb(e) = C2. Since Jfe(e) contains e, either C\ or C2 contains 
e. Without loss of generality, assume that e belongs to C\. By definition of set union, C\ C Jb(e). 
Also, since C\ is a consistent cut containing e that satisfies 6, and Jfe(e) is the least such cut, 
Jb{e) ^ C\. Combining the two, Jb(e) = C\. □ 

It is possible that Jb(e)s are not all distinct. Let JbiE) denote the set {J&(e) | e G E }. Does 
J7&(e) capture all join-irreducible elements of Cb(E)? The following lemma provides the answer. 

Lemma 13 Every consistent cut inCb(E) can be expressed as the join of some subset of consistent 
cuts in Jb{E). 

Proof: Consider a consistent cut C in Cb(E). Let D(C) be the consistent cut defined as follows: 

D(C) = |J J b (e) 

We prove that D(C) is actually equal to C. Since, by definition, e G Jb(e), each event in C is 
also present in D{C). Thus C C D(C). To prove that -D(C) C C, consider an event eGC. Since 
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C is a consistent cut containing e that satisfies b and J&(e) is the Zeas£ such cut, Jfc(e) C C. More 
precisely, for each event e G C, J&(e) C C. This implies that D(C) CC. □ 

From the previous two lemmas, it follows that Jb{E) = JT(Cb(E)). Combining it with 
Birkhoff's Representation Theorem, we can deduce that: 

Theorem 14 Given a computation (E,—>) and a regular predicate b, the poset {J'b(E); is cut- 
equivalent to the slice (E,—>)t,. 

Next, in order to reduce the number of edges, rather than constructing a poset on the set of 
join-irreducible elements, we construct a directed graph with events as vertices. It can be easily 
verified that: 

Observation 1 The directed graph Gb(E) with the set of vertices as E and an edge from an event 
e to an event f if and only if Jb{e) C J&(/) is cut- equivalent to the slice (E, —>){,. 

Whereas the poset representation of a slice is better for presentation purposes, the graph 
representation is more suited for slicing algorithms. From the way the graph Qb{E) is constructed, 
clearly, two events e and / belong to the same strongly connected component of Qb{E) if and only 
if J{,(e) = Jb(f)- As a result, there is a one-to-one correspondence between the strongly connected 
components of Q b {E) and the join-irreducible elements of Cb(E). 

Now, let Fb(e) be a vector whose i th entry denotes the earliest event / on process pi such that 
Jb(e) Q Jb(f)- Informally, i*),(e)[i] is the earliest event on pi that is reachable from e in the slice 
(E, — ►)&. Using Fb(e)s, we construct a directed graph we call the skeletal representation of the slice 
and denote it by Sb(E). The graph Sb(E) has E as the set of vertices and the following edges: 

1. for each event e T, there is an edge from e to succ(e), and 

2. for each event e and process pi, there is an edge from e to F&(e)[z]. 

Example 6 Consider the slice depicted in Figure 0[d) of the computation shown in Figure [5(a) 
with respect to the predicate reg(x\ \l xq). Here, J&(/) = {a, e, /} and Jb(c) = {a,b,c,d,e,f,g} = 
J b (d). Also, F b (f) = [c, /] and F b (c) = [c,g] = F b (d). □ 

To prove that Sb(E) faithfully captures the slice {E,— we prove the following two lemmas. 
The first lemma establishes that Jb is order-preserving. 

Lemma 15 (Jb is order-preserving) Given events e and f,e—>f =>• J&(e) C Jb{f)- 

Proof: Consider J&(/). Since e — ► / and / G Jb(f), e G Jb(f)- Thus is a consistent cut that 

contains e and satisfies 6. Since Jb(e) is the Zeasi such cut, J&(e) C Jb(f). □ 

The second lemma shows that if J&(e) C Jf>(/) then there is a path from event e to event / in 
Sb(E) and vice versa. 

Lemma 16 Given events e and f, J&(e) C J&(/) = (e, /) G V(Sb(E)). 
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Proof: (=>•) Assume that J&(e) C J&(/). Let proc(f) = pi and g = Ff,(e)[i]. Since, by definition, 
5 is the earliest event on pi such that J&(e) C J b (g), Q — » /■ This implies that (g, /) G V{S b {E)). 
Further, by construction, (e,g) G V{S b {E)). Thus (e,/) G V(S b {E)). 

(<=) It suffices to show that for each edge (tt, in S b (E), J b (u) C J b (v). If v = succ(u) then 
Jft(n) C Jb(u) follows from Lemma Hoi If u = Fb(u)[i], where pi = proc(v), then Jfe(ti) C J;,(f) 
follows from the definition of F b (u). □ 

Finally, from Observation ^ and Lemma HTH we can conclude that: 

Theorem 17 S b (E) is cut- equivalent to (E,^) b . 

It is easy to see that S b (E) has 0(|.E|) vertices and 0(n\E\) edges. In the next section we give 
efficient polynomial-time algorithms to compute J b (e) and F b (e) for each event e when b is a regular 
predicate. 

7 Slicing for Regular Predicate 

In this section, we discuss our results on slicing with respect to a regular predicate. They are 
discussed here separately from our results on slicing for a general predicate because, as proved in 
Section lo.il the slice for a regular predicate is lean and therefore furnishes more information than the 
slice for a general predicate. First, we present an efficient 0(n 2 \E\) algorithm to compute the slice 
for a regular predicate. The algorithm can be optimized for the case when a regular predicate can be 
decomposed into a conjunction of clauses, where each clause itself is a /c-local regular predicate — 
a regular predicate that is also k- local — with small k. We also provide optimal algorithms for 
special cases of regular predicates such as conjunctive predicates and certain monotonic channel 
predicates. Next, we show how a regular predicate can be monitored under various modalities 
|CM911 IGar02bl IMG001 ISULOOj . specifically possibly, invariant and contmllable, using slicing. 
Finally, we demonstrate that results pertaining to consistent global checkpoints can be derived as 
special cases of slicing. 

7.1 Computing the Slice for Regular Predicate 

In this section, given a computation (E, — >) and a regular predicate 6, we describe an efficient 
0(n 2 \E\) algorithm to compute the slice (E,^>) b . In particular, we construct S b (E) — the skeletal 
representation of {E,^) b . To that end, it suffices to give an algorithm to compute F b (e) for each 
event e. 

Our approach is to first compute J b (e) for each event e. Consider the predicate b e defined in 
Section HO Since b e is a regular predicate, it is also a linear predicate. (A predicate is said to 
be linear if, given two consistent cuts that satisfy the predicate, the consistent cut given by their 
set intersection also satisfies the predicate.) Chase and Garg Gar02b give an efficient algorithm 
to find the least consistent cut that satisfies a linear predicate. Their algorithm is based on the 
linearity property which is defined as follows: 



18 





1 n n ■ it" ■ i 1 1 i rr\ m ni if'if inn / hi i. \ [Oi ^ yam 1 1 "i k nron i/ — ^ d /~i i nn 1 <| -\ nrnrflcc n ■ 

1 1 1 UU L . 1 L 1 d CUI I 1 pu Ld LIU 11 \ _C/ . ? / , I £. 1 d 1 trRU Id i Ui trU ICd Lc U, d 1 IU 1 O 1 d pi Ul_cbb 




Output: Jft(e) for each event e on 


1 


C* := _L; 


2 


for each event e on do // visited in the order given by — ► 


3 


done :— false; 


4 


if C = E then done := true; 


5 


while not(c?one) do 


6 


if there exist events / and g in frontier (C) 




such that succ(f) — ► g then / / C is not a consistent cut 


7 


C :— C U {succ(/)}; / / advance beyond f 




else 1 1 C is a consistent cut 


8 


if (C = i?) or (C satisfies & e ) then done := true; 




else 


9 


/ := forbidden(b e , C); / / invoke the linearity property 


10 


C := C U {succ(/)}; / / advance beyond f 




endif; 




endif; 




endwhile; 


11 


J 6 (e) := (7; 




endfor; 



Figure 4: The algorithm ComputeJ to determine Jb(e) for each event e on process pi. 

Definition 6 (linearity property | CG9 8j^ A predicate satisfies the linearity property if, given 
a consistent cut that does not satisfy the predicate, there exists an event in its frontier, called the 
forbidden event, such that there does not exist a consistent cut containing the given consistent 
cut that satisfies the predicate and also passes through the forbidden event. Formally, given a 
computation (E,^), a linear predicate b and a consistent cut C, 

C Y= b => (3 / : / G frontier{C) : (V D : D D C : D satisfies b succ{f) G D}} 

We denote the forbidden event of C with respect to b by forbidden(b,C). 

Figure 0] describes the algorithm ComputeJ to determine J&(e) for each event e on process pi, 
using the linearity property. The algorithm scans the computation once from left to right. Only 
a single scan is sufficient because, from Lemma El once we have computed J&(e), we do not need 
to start all over again to determine Jb(succ(e)) but can rather continue on from Jb(e) itself. The 
algorithm basically adds events one-by-one to the cut constructed so far until either all the events 
are exhausted or the desired consistent cut is reached. 

The time-complexity analysis of the algorithm ComputeJ is as follows. Each iteration of the while 
loop at lineElhas 0{n) time-complexity assuming that the time-complexity of invoking forbidden b e 
at line El once is 0{n). Moreover, the while loop is executed at most Od-E 1 !) times because in each 
iteration either we succeed in finding the required consistent cut or we add a new event to C . Since 
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Input: (1) a computation (E, — >}, (2) Jf,(e) for each event e, and (3) a process p^ 
Output: Fi(e) for each event e on p^ 



1 



for each process pj do 



3 



2 




/ / visited in the order given by 



4 



while Jfe(e) 2 ^&(/) do / := succ(f); endwhile; 



■5 




endfor; 



Figure 5: The algorithm ComputeF to determine Fb(e) for each event e on process pi. 

there are at most \E\ events in the computation, the while loop cannot be executed more than 
0(|-E|) times. Thus the overall time-complexity of the algorithm ComputeJ is 0{n\E\) implying 
that Jb(e) for each event e can be computed in 0(n 2 \E\) time. 

Finally, we give an algorithm to compute -F&(e) for each event e provided J&(e) for each event 
e is given to us. We first establish a lemma similar to Lemma El f° r Fb. The lemma allows us 
to compute the j th entry of i^(e) for each event e on process pi in a single scan of the events on 
process pj from left to right. 

Lemma 18 is order-preserving) Given events e and f and a process pi, 



Proof: Assume that e — ► /. Let g = F&(e)[i] and h = i*& (/)[«]. Note that proc(g) = proc(h) = p{. 
By definition of Fb(f), Jb(f) Q Jb(h). Since, from Lemma ITKl J&(e) C Jb(f), J&(e) C J&(/t). Again, 
by definition of -Ffe(e), 5 is the earliest event on pj such that Jfe(e) C Jb(g). Therefore g ^_h. □ 

Figure [5] depicts the algorithm ComputeF to determine -F&(e) for each event e on process pj. The 
algorithm is self-explanatory and its time-complexity analysis is as follows. Let Ej denote the set 
of events on process pj. The outer for loop at line ^ is executed exactly n times. For j th iteration of 
the outer for loop, the while loop at line|l]is executed at most O ( | -£7^ | + \Ej\) times. Each iteration 
of the while loop has O(l) time-complexity because whether J&(e) C Jb(f) can be ascertained by 
performing only a single comparison, namely testing whether e is contained Jb(f)- More precisely, 
Jb(e) Q Jb(f) if and only if e G Jb(f)- The reason is as follows. Since e G Jb(&), if Jb(e) Q 
then e G Jb(f)- Also, if e G then J&(/) is a consistent cut that contains e and satisfies 6. Since 

Jfe(e) is the least such cut, Jb(e) C Jb(f). Combining the two, we obtain the desired equivalence. 
The overall time-complexity of the algorithm ComputeF is, therefore, 0{n\Ei\ + \E\). Summing up 
over all processes, Fb{e) for each event e can be determined in 0{n\E\) time. The overall algorithm 
is summarized in Figure H3 



e-/ =► F ft (e)[i] ^ F 6 (/)[i] 
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Input: (1) a computation (E, — >}, and (2) a regular predicate b 
Output: the slice (£?,—>)& 

1 compute Jfc(e) for each event e using the algorithm ComputeJ; 

2 compute i*f,(e) for each event e using the algorithm ComputeF; 

3 construct Sf,(E) the skeletal representation of (.©,—►)&; 

4 output Sb(E); 



Figure 6: The algorithm SliceForRegular to compute the slice for a regular predicate. 

7.2 Optimizing for the Special Case: Computing the Slice for Decomposable 
Regular Predicate 

In this section, we explore the possibility of a faster algorithm for the case when a regular predicate 
can be expressed as a conjunction of clauses where each clause is again a regular predicate but 
depends on variables of only a small number of processes. For example, consider the regular 
predicate "counters on all processes are approximately synchronized", denoted by b sync , which can 
be expressed formally as: 



where each counter \ is a monotonically non-decreasing variable on process pj. In this example, each 
clause depends on variables of at most two processes and is therefore 2-local. Using the algorithm 
discussed in this section, it is possible to compute the slice for b sync in 0(n\E\) time — a factor of 
n faster than using the algorithm SliceForRegular. We describe the algorithm in two steps. In the 
first step, we give a fast algorithm to compute the slice for each clause. In the second step, we 
describe how to combine slices for all clauses together in an efficient manner to obtain the slice for 
the given regular predicate. 

7.2.1 Step 1 

Consider a computation {E, — ►) and a /c-local regular predicate b. Let Q denote the subset of 
processes whose variables b depends on. Without loss of generality, assume that — > is a transitive 
relation. We denote the projection of E on Q by E(Q) and that of — ► on Q x Q by — >(Q). Thus 
the projection of the computation (E, — ►) on Q is given by (E(Q), — >(Q))- 

We first show that the slice (E, — >)& of the computation (E, — ►) can be recovered exactly from 
the slice (E(Q), —>((?)) b of the projected computation (E(Q), — To that end, we extend the 
definition of i^(e) and define Fj,(e, Q) to be a vector whose i th entry represents the earliest event 
on process pi that is reachable from e in the slice (E(Q), — >(Q))b- Thus i*&(e) = F{,(e, P), where P 
is the entire set of processes, F(e,Q) = F true (e,Q) and F(e) = F true (e). We next define K{,(e) as 
follows: 



b 



sync 





otherwise 
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Input: (1) a computation {E,—>), 

(2) a fc-local regular predicate b that depends only on variables of Q C P with \Q\ ^ k 

Output: the slice (E,—>)t, 

1 compute F(e) for each event e; 

2 compute the projection of — >) onto Q, say (E(Q),^(Q)); 

3 compute the slice of (E(Q), — with respect to &, say (E(Q),—>(Q)) b , using 

the algorithm SliceForRegular; 
Also, compute F&(e, Q) for each event e; 

4 compute i^b(e) for each event e as follows: 



K b (e)\i] 



F b (e,Q)\i] : (e 6 E(Q)) A (p t 6 Q) 
■F(e)[i] : otherwise 



construct the directed graph H. b (E) with E 1 as its set of vertices and edges as follows: 

1. for each event e ^ T, there is an edge from e to succ{e), and 

2. for each event e and process pi, there is an edge from e to Kb(e)[i}. 
output TLb{E); 



Figure 7: The algorithm SliceForKLocalRegular to compute the slice for a fc-local regular predicate. 



We claim that it suffices to know Kb(e) for each event e to be able to compute the slice (E, —►);>. 
We build a graph Ti. b (E) in a similar fashion as the skeletal representation S b (E) of (E, — >} b except 
that we use K b instead of F b in its construction. The next lemma proves that every path in 7i b (E) 
is also a path in S b (E). 

Lemma 19 For each event e and process pi, F b (e)[i] ^± K b {e)[i]. 

Proof: Every consistent cut of the slice (E,—>) b is a consistent cut of the computation (E,—*) 
as well. Therefore, by Lemma El every path in (E,—t) is also a path in (E,—>) b . This in turn 
implies that, for each event e and process pi, F b (e)[i] ^± F(e)[i]. Our obligation is to prove that 
F b {e)[i] ^± F b (e,Q)[i] when e G E(Q) and p { G Q. 

Consider an event e G E(Q) and process pj G Q. For convenience, let / = F b (e, Q)[i]- Let C be 

the least consistent cut of the slice {E,^) b that contains /. Clearly, C is also a consistent cut of 

the computation We have, 

{ definition of projection } 

C(Q) is a consistent cut of (E(Q), —*(Q)) 
= { predicate calculus } 

(C(Q) is a consistent cut of (E(Q),-*(Q))) a((C = T) V (C / T)) 
=^ { in case C 7^ T, by definition, C satisfies 6 and b depends only on variables of Q } 
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C(Q) is a consistent cut of (E(Q), — 
{ / € C, proc(f) = pi, and p* G Q } 

(/ G C(Q)) A (C(Q) is a consistent cut of {E(Q),-+(Q)) b ) 

{ using definition of /, which is i*&(e, Q)[i] } 

(/ G C(Q)) A (there is a path from e to / in (E(Q),^(Q)} b )A 

(C(Q) is a consistent cut of (E(Q), — >(Q))b) 
=>■ { definition of consistent cut } 

(/ G C(Q)) A (e G C(Q)) 

{{e,/}CC(Q) implies {e,/}CC} 

(/ G C) A (e G C) 
= { definition of C } 

there is a path from e to / in {E, — 
= { definition of .Fb(e)[i] } 

#)[«]^/ 

ThusF 6 (e)[^F 6 (e,Q)[i]. □ 

We now prove the converse, that is, every path in Sb(E) is also a path in Hb{E). To that end, 
by virtue of Lemma ^ it suffices to show that every consistent cut of 7ib(E) is also a consistent cut 
of Sb(E) or, equivalently, every consistent cut of H b (E) satisfies b. 

Lemma 20 Every (non-trivial) consistent cut ofTCb(E) satisfies b. 

The proof is in the appendix. Finally, the previous two lemmas can be combined to give the 
following theorem: 

Theorem 21 7ib{E) is cut- equivalent to Sb{E). 

Observe that the two graphs TCb(E) and Sb(E) may actually be different. However, Theorem |2*T1 
ensures that the two will be cut-equivalent, thereby implying that TCb(E) captures the slice faithfully. 
Figure [7| describes the algorithm SliceForKLocalRegular for computing the slice for a /c-local regular 
predicate. We assume that the computation is given to us as n queues of events — one for each 
process. Further, the Fidge/Mattern's timestamp ts(e) for each event e is also available to us, 
using which J(e) can be computed easily. The algorithm ComputeF can be used to F{e) for each 
event e in 0{n\E\). The projection of the computation on Q can then be computed at line^in a 
straightforward fashion — by simply ignoring events on other processes. The slice of the projected 
computation can be computed at line|Hlin 0(|Q| 2 |£J((5)|) time. The vector i£&(e) for each event e 
can be determined at line|l]in 0{n\E\) time. Finally, the graph 7ib{E) can be constructed at line[5] 
in 0(n\E\) time. Thus the overall time-complexity of the algorithm is 0(|<3| 2 |.E(<3)| + 7T.|£7|). If 
\Q\ is small, say at most y/n, then the time-complexity of the algorithm is 0(n\E\) — a factor of n 
faster than computing the slice directly using the algorithm SliceForRegular. 
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Figure 8: (a) A computation, (b) its slice with respect to the predicate x\ Vi2, (c) its projection 
on processes p\ and P2, (d) the slice of the projected computation with respect to the predicate 
x\ V X2, and (e) the slice computed in (d) mapped to the original set of processes. 

A natural question to ask is: "Can this technique of taking a projection of a computation on a 
subset of processes, then computing the slice of the projection and finally mapping the slice back 
to the original set of processes be used for a non-regular predicate as well?" The answer is no in 
general as the following example demonstrates. 

Example 7 Consider the computation shown in Figure EJa) involving three processes pi, P2 and 
p%. Let x\ and X2 be boolean variables on processes p\ and P2, respectively. In the figure, the solid 
events, namely and f^, satisfy the respective boolean variable. The slice of the computation for 
the (non-regular) predicate x\ V X2 is depicted in Figure Htb). Figure |Hfc) displays the projection 
of the computation on processes on which the predicate x\ V X2 depends, namely p\ and p2- The 
slice of the projected computation is shown in Figure |HJ^d) and its mapping back to the original set 
of processes is depicted in Figure EJe). As it can be seen, the slice shown in Figure IBfe) computed 
using the algorithm SliceForKLocalRegular is different from the actual slice shown in Figure |Hfb). 
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For instance, events gi and 53 belong to the same meta-event in the actual slice but not in the 
slice computed using the algorithm SliceForKLocalRegular. The reason for this difference is as 
follows. Since the predicate x\ V X2 is non-regular, the slice of the projected computation shown 
in Figure IHJd) contains the consistent cut X = {e±, ei, fi, fi\ which does not satisfy x\ V12 but 
has to be included anyway so as to complete the sublattice. Now, on mapping this slice back to 
the original set of processes, the resulting slice depicted in Figure |HJ^e) will contain all consistent 
cuts of the original computation whose projection on {pi,P2} is X. There are three such consistent 
cuts, namely X U {gi}, X U {(71,52} and X U {gi, g2, 93}- However, only one of these consistent 
cuts, given by X U {gi, g2, 93}, is required to complete the sublattice for the actual slice. □ 

It can be verified that the algorithm SliceForKLocalRegular when used for computing the slice 
for a non-regular predicate, in general, produces a slice bigger than the actual slice. Thus it yields 
a fast way to compute an approximate slice for a non-regular predicate (e.g., linear predicate). 

7.2.2 Step 2 

Now, consider a decomposable regular predicate b expressible as conjunction of /c-local regular 
predicates \P\ where 1 ^ j ^ m. Let Q J denote the subset of processes whose variable(s) the j th 
clause b^' depends on. For a process pi, we define clausesi as the set of those clauses that depend 
on some variable of pi, that is, clausesi = { £>w) \ pi G Qi }. Also, let s = max \clausesi\. For 

example, for the regular predicate b sync , k = 2 and s = n. 

To obtain the slice with respect to b, we can proceed as follows. We first compute the slice for 
each clause using the algorithm SliceForKLocalRegular. This will give us K b (j)(e) for each clause 
b^> and event e. Then, for each event e and process pi, we simply set iiTf,(e)[i] to the earliest event 
in the set {K b (i)(e)[i], K b (2)(e)[i], . . . , K b ( m )(e)[i]}. However, this approach has time-complexity of 
0({nm + k 2 s)\E\). 

To reduce the time-complexity, after computing the slice (E(Q : >), — >(Q-')) b u) for each clause b^\ 
we compute directly without first computing K b (j) for each clause b^\ The algorithm is shown 
in Figure El Intuitively, among all the slices for the clauses belonging to clauses^, Kb(e)[i] is the 
earliest event on pi that is reachable from e. Formally, 

K b (e)\i]= min F bU) (e,Q^)[i\ 

bv> Gclausesi 

It can be verified that the graph 7ib(E) then constructed using K b [e) for each event e — in a 
similar fashion as in Step 1 — is actually cut-equivalent to the slice (E, — The proof is similar to 
that in Step 1 and has been omitted. The overall time-complexity of the algorithm is given by: 

m 

0(n\E\)+j:0(\Qi\ 2 \E(Qi)\) 
i=i 

= { each &W is a /c-local predicate, therefore |Q J | ^ k } 

m 

0(n\E\) + 0(k 2 Z\E(Q j )\) 
3=1 

= { simplifying } 

0(n\E\ + k 2 s \E\) = 0((n + k 2 s)\E\) 
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for each event e G E do 

A' fc (e) := F(e); 
endfor; 

for each conjunct 6^ do 

for each event e £ E{Qi) do 
for each process g Q- 7 do 

jr 6 (e)[i] := mm{ir 6 (e)[i], F 6W (e,Q^)[t] }; 

endfor; 
endfor; 
endfor; 



Figure 9: Computing Kf,(e) for each event e. 

In case A; is 0(1) and s is O(n), as is the case with b sync , the overall time-complexity is 0(n\E\), 
which is a factor of n less than computing the slice directly using the algorithm SliceForRegular. 

7.3 Optimal Algorithms for Special Cases 

For special cases of regular predicates, namely conjunctive predicates and certain monotonic channel 
predicates, it is possible to give an 0(|-E|) optimal algorithm for computing the slice. We only 
present the slicing algorithm for the class of conjunctive predicates here. The slicing algorithm for 
the class of monotonic channel predicates is given in the appendix. 

7.3.1 Computing the Slice for Conjunctive Predicate 

Consider a computation (E, — >) and a conjunctive predicate b. The first step is to partition events 
on each process into true events and false events. Having done that, we then construct a graph 
7ib(E) with vertices as the events in E and the following edges: 

1. from an event, that is not a final event, to its successor, 

2. from a send event to the corresponding receive event, and 

3. from the successor of a false event to the false event. 

For the purpose of building the graph, we assume that all final events are true events. Thus every 
false event has a successor. The first two types of edges ensure that the Lamport's happened-before 
relation |Lam78j is contained in V{TLb{E)). Consider the computation depicted in Figure ITUT a) and 
the conjunctive predicate x\ A %i. The corresponding graph constructed as described is shown in 
Figure [TUf b). We now establish that the above-mentioned edges are sufficient to eliminate all those 
consistent cuts of the computation that do not satisfy the conjunctive predicate. 

Lemma 22 Every (non-trivial) consistent cut ofTCb(E) satisfies b. 
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• : true event O : false event 



Figure 10: (a) A computation, and (b) its slice with respect to the conjunctive predicate x\ Ax2- 

Proof: It is sufficient to prove that no consistent cut of 7ib(E) contains a false event in its frontier. 
Consider a consistent cut C of 7ib(E). Assume, on the contrary, that C contains a false event, say 
e, in its frontier. Since every false event has a successor, by construction, there is an edge from the 
successor of e, say /, to e. Therefore / also belongs to C. This contradicts the fact that e is the 
last event on its process to be contained in C. □ 

We next show that the above constructed graph retains all consistent cuts of the computation 
that satisfy the conjunctive predicate. 

Lemma 23 Every consistent cut of (E, — >) that satisfies b is a consistent cut ofTCb(E). 

Proof: Consider a consistent cut C of (E,—>) that satisfies b. Assume, on the contrary, that C 
is not a consistent cut of 7ib(E). Thus there exist events e and / such that there is an edge from 
e to / in TCb(E), f belongs to C but e does not. Since C is a consistent cut of (E, — >), the edge 
from e to / could only of type (3). (The other two types of edges are present in (E, — >) as well.) 
Equivalently, e and / occur on the same process, e is the successor of /, and / is a false event. 
Again, since / is contained in C but its successor e is not, / belongs to the frontier of C. However, 
C satisfies b and hence cannot contain any false event in its frontier. □ 

From the previous two lemmas, it follows that: 

Theorem 24 Ttb(E) is cut- equivalent to (E,—>-)b- 

It is easy to see that the graph Ttb(E) has 0(|i?|) vertices, (9(|i?|) edges (at most three edges 
per event assuming that an event that is not local either sends at most one message or receives at 
most one message but not both) and can be built in 0(|i?|) time. Thus the algorithm has Od-El) 
overall time-complexity. It also gives us an 0(|i?|) algorithm to evaluate possibly: b when b is a 
conjunctive predicate. 

7.4 Applications of Slicing 

In this section, we show that slicing can be used to solve other problems in distributed systems. 
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7.4.1 Monitoring Regular Predicate under Various Modalities 

A predicate can be monitored under four modalities, namely possibly, definitely, invariant and 
controllable |CM91llHar02l^lM(;00IISUL00j . A predicate is possibly true in a computation if there 
exists a consistent cut of the computation that satisfies the predicate. On the other hand, a predicate 
definitely holds in a computation if it eventually becomes true in all runs of the computation (a run 
is a path in the lattice of consistent cuts starting from the initial consistent cut and ending at the 
final consistent cut). The modalities invariant and controllable are duals of the modalities possibly 
and definitely, respectively. Monitoring has applications in the areas of testing and debugging and 
software fault tolerance of distributed programs. 

We show how to monitor a regular predicate under possibly : b, invariant : b and controllable : b 
modalities using slicing. Given a directed graph G, let scc(G) denote the number of strongly 
connected components of G. 

Theorem 25 A regular predicate is 

1. possibly true in a computation if and only if the slice of the computation with respect to 
the predicate has at least one non-trivial consistent cut, that is, it has at least two strongly 
connected components. Formally, possibly: b = scc((E, — >)&) ^ 2. 

2. invariant in a computation if and only if the slice of the computation with respect to the 
predicate is cut- equivalent to the computation. Formally, invariant: b = (E, — >){, = (E,—>). 

3. controllable in a computation if and only if the slice of the computation with respect to 
the predicate has the same number of strongly connected components as the computation. 
Formally, controllable: b = scc((E, — >)&) = scc((E, — >) ). 

The proof of the theorem can be found in the appendix. We do not yet know how to monitor 
a regular predicate under definitely modality. 

7.4.2 Zig-Zag Consistency Theorem: A Special Case of Slicing 

We now show how slicing relates to some of the well-known results in checkpointing. Consider a 
conjunctive predicate such that the local predicate for an event on a process is true if and only if the 
event corresponds to a local checkpoint. It can be verified that there is a zigzag path |NX95llWan97j 
from a local checkpoint c to a local checkpoint d in a computation if and only if there is a path 
from succ(c), if it exists, to d in the corresponding slice — which can be ascertained by comparing 
J{ J (succ(c)) and Jb(d). An alternative formulation of the consistency theorem in |JNX95j can thus 
be obtained as follows: 

Theorem 26 A set of local checkpoints can belong to the same consistent global snapshot if and 
only if the local checkpoints in the set are mutually consistent (including with itself) in the slice. 

Moreover, the R-graph (rollback-dependency graph) |Wan97j is path-equivalent to the slice 
when each contiguous sequence of false events on a process is merged with the nearest true event 
that occurs later on the process. The minimum consistent global checkpoint that contains a set of 
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local checkpoints |Wan97j can be computed by taking the set union of Jt's for each local checkpoint 
in the set. The maximum consistent global checkpoint can be similarly obtained by using the dual 
of J b . 

8 Slicing for General Predicate 

In this section, we describe our results on slicing for general predicates. We first prove that it is 
in general NP-hard to compute the slice for an arbitrary predicate. Nonetheless, polynomial-time 
algorithms can be developed for certain special classes of predicates. In particular, we provide 
efficient algorithm to compute the slice for a linear predicate and its dual — a post-linear predicate 
|Gar02bj . We next present an efficient algorithm for composing two slices efficiently; composition 
can be done with respect to meet or join operator as explained later. Slice composition can be 
used to compute the slice for a predicate in DNF (disjunctive normal form). We further provide 
three more applications of composition. First, we demonstrate how composition can be employed 
to compute the slice for a co-regular predicate — complement of a regular predicate — in polynomial- 
time. Second, using composition, we derive a polynomial-time algorithm to the compute the slice for 
a k-local predicate for constant k. Lastly, we employ slice composition to compute an approximate 
slice — in polynomial-time — for a predicate composed from linear predicates, post-linear predicates, 
co-regular predicates and fe-local predicates, for constant k, using A and V operators. 

8.1 NP-Hardness Result 

It is evident from the definition of slice that the following is true: 

Observation 2 The necessary and sufficient condition for the slice of a computation with respect 
to a predicate to be non-empty is that there exists a consistent cut of the computation that satisfies 
the predicate. 

However, finding out whether some consistent cut of the computation satisfies a predicate is 
an NP-complete problem |Gar02bj . Thus it is in general NP-complete to determine whether the 
slice for a predicate is non-empty. This further implies that computing the slice for an arbitrary 
predicate is an NP-hard problem. From the results of |MG01bj . it follows that this is the case even 
when the predicate is a singular 2-CNF (conjunctive normal form) predicate. 

8.2 Computing the Slice for Linear Predicate and its Dual 

Recall that a predicate is linear if given two consistent cuts that satisfy the predicate, the cut 
given by their set intersection also satisfies the predicate |Gar02bj . A post-linear predicate can 
be defined dually |Gar02bj . In this section, we prove that the slicing algorithm SliceForRegular 
for a regular predicate described in Section 17.11 can be used for a linear predicate as well. For a 
post-linear predicate, however, a slightly different version of the algorithm based on the notion of 
meet-irreducible element will be applicable. The proof is given in the appendix. 
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8.3 Composing Two Slices 



Given two slices, slice composition can be used to either compute the smallest slice that contains all 
consistent cuts common to both slices — composing with respect to meet — or compute the smallest 
slice that contains consistent cuts of both slices — composing with respect to join. In other words, 
given slices (E, — and (E, — >){, 2 , where b\ and 62 are regular predicates, composition can be used 
to compute the slice (E, —>■)&, where b is either b\ n 62 = &1A 62 or b\ U 62 = reg{b\\J 62). Slice 
composition enables us to compute the actual slice for an arbitrary boolean expression of local 
predicates — by rewriting it in DNF — although it may require exponential time in the worst case. 

8.3.1 Composing with respect to Meet: b = bi n D2 = bi A b2 

In this case, the slice (E, — >)& contains a consistent cut of (E, — >) if and only if the cut satisfies 61 
as well as 62. Given an event e, let i^niin( e ) denote the vector obtained by taking componentwise 
minimum of i ? b 1 (e) and Fj >2 (e). We first prove that no component of -F m in(e) is less than (or occurs 
before) the corresponding component of i^(e). 

Lemma 27 For each event e and process pi, Fb(e)[i] ^± -^min(e)[i]- 

Proof: For convenience, let / = i^(e)[i]. Let C be the least consistent cut of the slice (E,—>){, 



that contains /. Clearly, C is also a consistent cut of the computation (E, — >) . We have, 
(C is a consistent cut of (E, -►)) a((C = T) V (C / T)) 



=>• { in case C 7^ T, by definition, C satisfies b and therefore satisfies b\ as well } 

C is a consistent cut of (E, — >)&! 
=>• { by definition, C contains / } 

(/ G C) A (C is a consistent cut of (E 1 , — O^) 
=>• { using definition of /, which is -F; )1 (e)[i] } 

(/ G C) A (there is a path from e to / in (E, — A (C is a consistent cut of 
=^ { definition of consistent cut } 



We now construct a directed graph S m i n (E) that is similar to Sf,(E) except that we use -F m i n 
instead of Fj, in its construction. The following theorem proves that S m { n (E) is in fact cut-equivalent 




Therefore F&(e)[i] Fb 1 (e)[i]. Likewise, Ffe(e)[i] —> Fh 2 (e)[i\. 



□ 



to S b {E). 
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Theorem 28 tS m i n (.£/) is cut- equivalent to S b (E). 

Proof: We have, 

{ definition of -F m i n } 

(r(S bl (E)) C V(S miQ (E))) A (v(S h2 (E)) C V(S min (E))) 
= { using Lemma ^ } 

(c(S miQ (E)) C C(<S 6l (£))) A (C(S^(E)) C C(S& 2 (£))) 
= { set calculus } 

c(cS min (£)) c (c(«s 6l (E)) n cosmos))) 

= { 6 = bi A 6 2 } 

C(5 min (E)) C C(S b (E)) 

Also, we have, 

{ using Lemma ^\ } 
V(S min (E)) C 7>(S 6 (£)) 
= { using Lemma ^ } 

C(5 6 (S)) C C(«S min (£)) 

Thus C(S min (£)) = C(S b (E)). □ 

Roughly speaking, the aforementioned algorithm computes the union of the sets of edges of 
each slice. Note that, in general, -F),(e)[i] need not be same as ^min(^)[^]* This algorithm can be 
generalized to conjunction of an arbitrary number of regular predicates. 

8.3.2 Composing with respect to Join: b = bi U b2 = reg (bi V b2) 

In this case, the slice {E, — >)& contains a consistent cut of {E, — >) if the cut satisfies either b\ or 
62. Given an event e, let F maK (e) denote the vector obtained by taking componentwise maximum 
of F bl (e) and F b2 (e). We first prove that no component of F b (e) is less than (or occurs before) the 
corresponding component of F max (e). 

Lemma 29 For each event e and process pi, F max (e)[i] A .Fb(e)[i]. 

The proof of Lemma is similar to that of Lemma and therefore has been omitted. We 
now construct a directed graph S max (E) that is similar to S b (E) except that we use F max instead 
of F b in its construction. The following theorem proves that S mSuX (E) is in fact cut-equivalent to 
Sb(E). 

Theorem 30 S max (E) is cut- equivalent to S b (E). 
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Again, the proof of Theorem 1301 is similar to that of Theorem 1281 and hence has been omitted. 
Intuitively, the above-mentioned algorithm computes the intersection of the sets of edges of each 
slice. In this case, in contrast to the former case, i*J,(e)[i] is identical to F max (e)[i\. The reason 
is as follows. Recall that i*J,(e)[i] is the earliest event on pi that is reachable from e in (E,—>)i,. 
From Theorem 1301 at least F max (e)[i] is reachable from e in {E, — >}&. Thus F&(e)[i] ^± F max (e)[i}. 
Combining it with Lemma [2*^1 we obtain, 

Observation 3 For each event e and process pi, Fb(e)[i] = F max (e)[i\. 

This algorithm can be generalized to disjunction of an arbitrary number of regular predicates. 

8.4 Computing the Slice for Co-Regular Predicate 

Given a regular predicate, we give an algorithm to compute the slice of a computation with respect 
to its negation — a co-regular predicate. In particular, we express the negation as disjunction of 
polynomial number of regular predicates. The slice can then be computed by composing together 
slices for each disjunct. 

Consider a computation (E, — >) and a regular predicate b. For convenience, let — be the edge 
relation for the slice {E, — Without loss of generality, assume that both — > and — >;> are transitive 
relations. Our objective is to find a property that distinguishes the consistent cuts that belong to 
the slice from the consistent cuts that do not. Consider events e and / such that e/>/ but e — >b f ■ 
Then, clearly, a consistent cut that contains / but does not contain e cannot belong to the slice. 
On the other hand, every consistent cut of the slice that contains / also contains e. This motivates 
us to define a predicate prevents(f, e) as follows: 



We now prove that the predicate prevents(f, e) is a regular predicate. Specifically, we establish 
that prevents(f,e) is a conjunctive predicate. 

Lemma 31 prevents(f,e) is a conjunctive predicate. 

Proof: Let proc{e) = pi and proc(f) = pj. We define a local predicate k(e) to be true for an event 
g on process pi if g — > e. Similarly, we define a local predicate rrij(f) to be true for an event h on 
process pj if / ^± h. Clearly, prevents(f, e) is equivalent to U{e) A rrij(f). □ 

It turns out that every consistent cut that does not belong to the slice satisfies prevents^/, e) 
for some pair of events (e, /) such that (e -/-> f) A (e — >b f) holds. Formally, 

Theorem 32 Let C be a consistent cut of (E, — >) . Then, 



C satisfies prevents(f, e) 



A 



(/ € C) A (e g C) 



C satisfies ->b 



(3 e, / : (e/> /) A (e — >{, f) : C satisfies prevents(f, e 



)) 



Proof: We have, 
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C satisfies -16 
= { b is a regular predicate } 

-n(cec«E,^) 6 )) 

= { definition of C((-E,->) 6 ) } 

-(Ve,/:e^/:/6C^eeC) 
= { predicate calculus } 

(3e,/:e^/:(/eC)A(e^)) 
= { definition of prevents(f , e) } 

(3e, f : e — / : C satisfies prevents(f, e)) 
= { predicate calculus } 

(3 e,/ : (e ->- 6 /) A f(e -> /) V (e/* /)) : C satisfies prevents(f,e)) 
= { e -> / implies e / } 

(3e,/:(e-»/) V (( e ->& /) A ( e 7^ /)) : C satisfies prevents(f,e)) 
= { since C is a consistent cut of (E,—*), C satisfies prevents(f,e) implies e/> / } 

(3 e, f : (e — >& /) A (e •/►/): C satisfies prevents(f, e)) 

This establishes the theorem. □ 

Theorem 1321 can also be derived using the results in lattice theory |Riv74j . We now give the 
time-complexity of the algorithm. We start by making the following observation. 

Observation 4 Let e, f and g be events such that f — > g. Then, 

prevents(g, e) prevents(f, e) 

Let -Kb(e) denote the vector whose i th entry denote the earliest event / on process pi, if it exists, 
such that (e ■/+ /) A (e — >b f) holds. Observation 0] implies that prevents(Kb(e)[i],e), whenever 
Kb(e)[i] exists, is the weakest predicate among all predicates prevents(f, e), where proc(f) = pi 
and (e/» /) A (e — ►& /). Thus we can ignore all other events on pi for the purpose of computing 
the slice for a co-regular predicate. More precisely, Theorem 1321 can be restated as: 

Theorem 33 Let C be a consistent cut of (E, — >) . Then, 

C satisfies -*b = (3 e,pi : Kb(e)[i] exists : C satisfies prevents(Kb(e)[i],e)) 

It turns out that i£&(e)[i] and Ffe(e)[i] are closely related. 

Observation 5 Kb(e)[i] exists if and only if e-/* Fb(e)[i]. Moreover, whenever Kb(e)[i] exists it is 
identical to Fb{e)\i]. 
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Theorem implies that the number of disjuncts in the predicate equivalent to the negation 
of a regular predicate is at most 0(n\E\). Further, using Observation these disjuncts can be 
determined in 0{n 2 \E\) time using the algorithms ComputeJ and ComputeF discussed in Section 17m 
The slice with respect to each disjunct can be computed in 0(|i£|) time using the slicing algorithm 
for conjunctive predicate. Moreover, for a disjunct b^\ J b (i) (e) for each event e can be computed in 
0{n\E\) time from its slice {E, —*•}{,(») (by topologically sorting the strongly connected components). 
Using J b n), it is possible to determine F b (i)(e) for each event e in 0(n\E\) time using the algorithm 
ComputeF. Finally, these slices can be composed together to produce the slice for a co-regular 
predicate in 0(n\E\ x n|.E|) = 0(n 2 \E\ 2 ) time. This is because, given an event e, computing each 
entry of F b i(e), where b' = reg(^b), using Observation |3] requires 0(n\E\) time. Thus the overall 
time-complexity of the algorithm is 0(n 2 \E\ + n 2 \E\ 2 ) = 0(n 2 \E\ 2 ). 

8.5 Computing the Slice for k-Local Predicate for Constant k 

In case the predicate is regular, we can simply use the algorithm SliceForKLocalRegular to compute 
the slice in 0(n\E\) time. However, if the predicate is not regular, then the slice produced will only 
be an approximate one. To compute the slice for a A;-local predicate, which is not regular, we use 
the technique developed by Stoller and Schneider |SS95j . For a given computation, their technique 
can be used to transform a /c-local predicate into a predicate in /c-DNF (disjunctive normal form) 
with at most m k ~ l clauses, where m is the maximum number of events on a process. For example, 
consider the predicate x\ / x 2 - Let V denote the set of values that x\ can take in the given 
computation. Then x\ ^ x 2 can be rewritten as: 

xi ^ x 2 = \f ((xi = v) A (x 2 / vfj 

Note that |V| ^ m. Thus the resultant predicate, in the above case, consists of at most m 
clauses where each clause is a conjunctive predicate |Gar02bj N ). In general, the resultant /c-DNF 
predicate will consist of at most m k ~ l clauses. To compute the slice for each clause, we use the 
optimal 0(|-E|) algorithm given in Section lV.3.11 We then compose these slices together with respect 
to disjunction to obtain the slice for the given fe-local predicate. The overall time-complexity of 
the algorithm is given by 0(nm k ~ l \E\). 

8.6 Computing an Approximate Slice 

Even though it is, in general, NP-hard to compute the slice for an arbitrary predicate, it is still 
possible to compute an approximate slice in many cases. The slice is "approximate" in the sense that 
it is bigger than the actual slice for the predicate. Nonetheless, it still contains all consistent cuts 
of the computation that satisfy the predicate. In many cases, the approximate slice that we obtain 
is much smaller than the computation itself and therefore can be used to prune the search-space 
for many intractable problems such as monitoring predicates under various modalities. 

In particular, using slice composition and slicing algorithms for various classes of predicates, it 
is possible to compute an approximate slice in an efficient manner for a large class of predicates — 
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namely those derived from linear predicates, post-linear predicates, regular predicates, co-regular 
predicates, and /c-local predicates for constant k using A and V operators. 

To compute an approximate slice for such a predicate, we first construct the parse tree for the 
corresponding boolean expression; all predicates occupy leaf nodes whereas all operators occupy 
non-leaf nodes. We then recursively compute the slice by starting with leaf-nodes and moving up, 
level by level, until we reach the root. For a leaf node, we use the slicing algorithm appropriate for 
the predicate contained in the node. For example, if the leaf node contains to a linear predicate, 
we use the algorithm described in Section T8. 21 For a non-leaf node, we use the suitable composition 
algorithm depending on the operator. 

Example 8 Suppose we wish to compute an approximate slice for the predicate {x\ VX2) A(x3 VX4), 
where each X{ is a regular predicate. First, we compute slices for regular predicates x\, x%, x% and 
X4. Next, we compose the first two and the last two slices together with respect to join to obtain 
slices for the clauses x\ \f X2 and X3 VX4, respectively. Finally, we compose the slices for both clauses 
together with respect to meet. The slice obtained will contain all consistent cuts that satisfy the 
predicate {x\ V X2) A (23 V £4). □ 

8.7 Experimental Evaluation 

In this section, we evaluate the effectiveness of slicing in pruning the search-space for detecting a 
predicate under possibly modality. We compare our approach with that of Stoller, Unnikrishnan and 
Liu |SUL00j . which is based on partial- order methods |God96j . Intuitively, when searching the state- 
space, at each consistent cut, partial-order methods allow only a small subset of enabled transitions 
to be explored. In particular, we use partial-order methods employing both persistent and sleep 
sets for comparison. We consider two examples that were also used by Stoller, Unnikrishnan and 
Liu to evaluate their approach |SUL00j . 

The first example, called primary-secondary, concerns an algorithm designed to ensure that 
the system always contains a pair of processes acting together as primary and secondary. The 
invariant for the algorithm requires that there is a pair of processes pi and pj such that (1) pi is 
acting as a primary and correctly thinks that pj is its secondary, and (2) pj is acting as a secondary 
and correctly thinks that pi is its primary. Both the primary and the secondary may choose new 
processes as their successor at any time; the algorithm must ensure that the invariant is never 
falsified. A global fault, therefore, corresponds to the complement of the invariant which can be 
expressed as: 

-iip S = ^ (^isPrimaryi V ^isSecondaryj V {secondary-i 7^ pj) V (primaryj 7^ pi^j 
i,je[i—n], i^j 

Note that ~~ 'Ip S is a predicate in CNF where each clause is a disjunction of two local predicates. 
An approximate slice for -^I ps can be computed in 0(n?\E\) time. In the second example, called 
database partitioning, a database is partitioned among processes P2 through p n , while process p\ 
assigns tasks to these processes based on the current partition. A process pi, i G [2...n], can 
suggest a new partition at any time by setting variable changei to true and broadcasting a message 
containing the proposed partition. An invariant that should be maintained is: if no process is 
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n: number of processes T: amount of time spent (in s) 
M : amount of memory used (in MB) 

*: does not include the cases in which the technique runs out of memory 



Table 1: Primary-Secondary example with the number of events on a process bounded by 90. 



changing the partition, then all processes agree on the partition. Its complement, corresponding to 
a global fault, can be expressed as: 

~^Idb = ~^change2 A -^changes A • • • A ~^change n A ^ \J {partition^ ^ partition j^j 

ij'e[i...n], i^j 

Note that the first n — 1 clauses of ~^Idb are local predicates and the last clause, say LC, is a 
disjunction of 2-local predicates. Thus, using the technique described in Section 18.51 LC can be 
rewritten as a predicate in DNF with 0{n\E\) clauses. To reduce the number of clauses, we proceed 
as follows. Let V denote the set of values that partition\ assumes in the given computation. Then 
it can be verified that LC is logically equivalent to: 

\J (^(partitioni = v) A (^(partitiori2 7^ v) V (partition^ ^ v) V • • • V (partition n ^ 

This decreases the number of clauses, when LC is rewritten in a form that can be used to 
compute a slice, to 0(n|y|). Note that \V\ is bounded by the number of events on the first process, 
and therefore we expect n\V\ to be 0(|i?|). We use the simulator implemented in Java by Stoller, 
Unnikrishnan and Liu to generate computations of these protocols. Message latencies and other 
delays (e.g., how long to wait before looking for a new successor) are selected randomly using the 
distribution 1 + exp(x), where exp(x) is the exponential distribution with mean x. Further details 
of the two protocols and the simulator can be found elsewhere |SUL00j . We consider two different 
scenarios: fault-free and faulty. The simulator always produces fault-free computations. A faulty 
computation is generated by randomly injecting faults into a fault-free computation. Note that 
in the first (fault-free) scenario, we know a priori that the computation does not contain a faulty 
consistent cut. We cannot, however, assume the availability of such knowledge in general. Thus 
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Figure 11: Primary-Secondary example with the number of events on a process bounded by 90 for 
(a) no faults and (b) one injected fault. 



it is important to study the behaviour of the two predicate detection techniques in the fault-free 
scenario as well. We implement the algorithm for slicing a computation in Java. We compare the 
two predicate detection techniques with respect to two metrics: amount of time spent and amount 
of memory used. In the case of the former technique, both metrics also include the overhead of 
computing the slice. We run our experiments on a machine with Pentium 4 processor operating at 
1.8GHz clock frequency and 512MB of physical memory. 

For primary-secondary example, the simulator is run until the number of events on some process 
reaches 90. The measurements averaged over 300 computations are displayed in Table ^ With 
computation slicing, for fault-free computations, the slice is always empty. As the number of 
processes is increased from 6 to 12, the amount of time spent increases from 356s to 2,849s, whereas 
the amount of memory used increases from 1.21M to 2.16M. On the other hand, with partial-order 
methods, they increase, almost exponentially, from 69s to 4,997s and 0.62M to 21.56M, respectively. 
Even on injecting a fault, the slice stays quite small. After computing the slice, in our experiments, 
we only need to examine at the most 13 consistent cuts to locate a faulty consistent cut, if any. The 
amount of time spent and the amount of memory used, with computation slicing, increase from 
366s to 2,765s and 1.38M to 2.43M, respectively, as the number of processes is increased from 6 
to 12. However, with partial-order methods, they again increase almost exponentially from 46s to 
3,510s and 0.41M to 14.13M, respectively. Clearly, with slicing, both time and space complexities 
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n: number of processes T: amount of time spent (in s) 
M: amount of memory used (in MB) 

*: does not include the cases in which the technique runs out of memory 



Table 2: Database partitioning example with the number of events on a process bounded by 80. 

for detecting a global fault, if it exists, in primary-secondary example are polynomial in input size 
for the specified range of parameters. In contrast, with partial-order methods, they are exponential 
in input size. Figure fTTT a) and Figure [TlT b) plot the variation in the two metrics with the number 
of processes for the two approaches. 

The worst-case performance of the partial-order methods approach is quite bad. With 12 
processes in the system and the limit on the memory set to 100MB, the approach runs out of 
memory in approximately 6% of the cases. In around two-thirds of such cases, the computation 
actually contains a consistent cut that does not satisfy the invariant. It may be noted that we do 
not include the above-mentioned cases in computing the average amount of time spent and memory 
used. Including them will only make the average performance of the partial-order methods approach 
worse. Further, the performance of the partial-order methods approach appears to be very sensitive 
to the location of the fault, in particular, whether it occurs earlier during the search or much later 
or perhaps does not occur at all. Consequently, the variation or standard deviation in the two 
metrics is very large. This has implications when predicate detection is employed for achieving 
software fault tolerance. Specifically, it becomes hard to provision resources (in our case, memory) 
when using partial-order methods approach. If too little memory is reserved, then, in many cases, 
the predicate detection algorithm will not be able to run successfully to completion. On the other 
hand, if too much memory is reserved, the memory utilization will be sub-optimal. 

For database partitioning example, the simulator is run until the number of events on some 
process reaches 80. The measurements averaged over 300 computations are shown in Table [21 
Figure [T2T c) and Figure ^Jd) plot the variation in the two metrics with the number of processes 
for the two approaches. As it can be seen, the average performance of partial-order methods is much 
better than computation slicing. This is because substantial overhead is incurred in computing the 
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Figure 12: Database partitioning example with the number of events on a process bounded by 80 
for (c) no faults and (d) one injected fault. 



slice. The slice itself is quite small. Specifically, for the fault-free scenario, the slice is always empty. 
On the other hand, for the faulty scenario, only at most 4 transitions need to be explored after 
computing the slice to locate a faulty consistent cut, if any. 

Even for database partitioning example, for 10 processes, the partial-order methods approach 
runs out of memory in a small fraction — approximately 1% — of the cases. Therefore the worst-case 
performance of computation slicing is better than partial-order methods. To get the best of both 
worlds, predicate detection can be first done using the partial-order methods approach. In case 
it turns out that the approach is using too much memory, say more than cra|E| for some small 
constant c, and still has not terminated, it can be aborted and the computation slicing approach 
can then be used for predicate detection. 

9 Discussion 

In this paper, we introduce the notion of computation slice and prove its usefulness in evaluating 
global properties in distributed computations. We provide efficient polynomial-time algorithms 
for computing the slice for several useful classes of predicates. For many other classes predicates 
for which it is otherwise provably NP-complete to compute the actual slice, we present efficient 
heuristic algorithms for computing an approximate slice. Our experimental results demonstrate 
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that slicing can lead to an exponential improvement over existing techniques in terms of time and 
space for intractable problems such as predicate detection. 

Recently, we have been able to prove that exists a polynomial-time algorithm for detecting a 
predicate if and only if there exists a polynomial-time algorithm for computing its slice. At first 
glance it may seem that we are not any better off than we were before. After all, predicate detection 
is "equivalent" to computation slicing. Then, how can slicing be used to improve the complexity of 
predicate detection? The answer is in affirmative; slicing can indeed be used to facilitate predicate 
detection as illustrated by the following example. Consider a predicate b that is a conjunction of 
two clauses 61 and 62- Now, assume that b\ can be detected efficiently but 62 has no structural 
property that can be exploited for efficient detection. To detect b, without computation slicing, 
we are forced to use techniques |CM911 IAV011 ISULOOj which do not take advantage of the fact 
that 61 can be detected efficiently. With computation slicing, however, we can first compute the 
slice for b\. If only a small fraction of consistent cuts satisfy b\ , then, instead of detecting b in the 
computation, it is much more efficient detect b in the slice. Therefore by spending only polynomial 
amount of time in computing the slice we can throw away exponential number of consistent cuts, 
thereby obtaining an exponential speedup overall. Consequently, the equivalence result, rather than 
diminishing the benefits of computation slicing, actually enhances them by significantly enlarging 
the class of predicates for which the slice can be computed efficiently. 

Although in this paper our focus is on distributed systems, slicing has applications in other 
areas as well, such as combinatorics |Car02aj . A combinatorial problem usually requires counting, 
enumerating or ascertaining the existence of structures that satisfy a given property. We cast the 
combinatorial problem as a distributed computation such that there is a bijection between the 
combinatorial structures satisfying a property b and the global states (or consistent cuts) that 
satisfy a property equivalent to b. We then apply results in slicing a computation with respect 
to a predicate to obtain a slice consisting of only those global states that satisfy b. This gives us 
an efficient algorithm to count, enumerate or detect structures that satisfy b when the total set of 
structures is large but the set of structures satisfying b is small. 

For example, consider the following problem in combinatorics: Count the number of subsets 
of size k of the set {1,2, . . . ,n} (hereafter denoted by [n]) which do not contain any consecutive 
numbers (for given values of n and k ). To solve this problem, we first come up with a distributed 
computation such that there is a one-to-one correspondence between global states and subsets of 
size k. Figure a) depicts a computation such that all subsets of [n] of size k are its global states. 
There are k processes in this computation and each process executes exactly n — k events. By the 
structure of the computation, if, in a global state, process pi has executed j events, then process 
Pi + i must have also executed at least j events. The correspondence between subsets of [n] and 
global states can be understood as follows. If a process pi has executed m events in a global state, 
then the element m + i belongs to the corresponding subset. Thus process pi chooses a number 
from 1 . . . (n — k + 1) (because there are n — k events); process P2 chooses the next larger number 
and so on. Figure IPST b') gives an example of the computation for subsets of size 3 of the set [6]. 
The global state shown corresponds to the subset {1,3,4}. 

Now we define predicate b to be "the global state does not contain any consecutive numbers" . 
For the computation we have constructed, it can be easily verified that the predicate b is regular. 
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Figure 13: (a) Computation for subsets of [n] of size k, and (b) example when n = 6 and fe = 3. 
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Figure 14: Slice with respect to the predicate "the global state does not contain any consecutive 
numbers" . 



Therefore one can mechanically and efficiently compute the slice of the computation with respect 
to b. Figure ITU shows the slice which includes precisely such subsets. Clearly, if the event labeled m 
on process pi has been executed, then the event labeled m + 2 on process Pi+i should also have been 
executed. This can be accomplished by adding the dotted arrows to the computation as depicted 
in the figure. By collapsing all strongly connected components and by removing the transitively 
implied edges, we obtain a graph that is isomorphic to the graph shown in Figure EU a )> with k 
processes and in which each process executes n — k — (k — 1) events. Therefore the total number of 
such sets is ( n ~fc +1 ). |Car()2a| gives several other applications of slicing for analyzing problems in 
integer partitions, set families, and set of permutations. 

At present, all our algorithms for computing a slice are centralized in nature. They assume 
that there is a designated process that is responsible for collecting all the events that have been 
generated and constructing a trace using them. Slicing algorithms use this trace to compute 
the slice. While the centralized approach is quite adequate for applications such as testing and 
debugging, for other applications including software fault tolerance, a more distributed approach is 
desirable. Also, currently, algorithms for computing a slice and therefore for detecting a predicate 
work in an off-line manner. To detect a software fault in a more timely manner, however, it is 
desirable and sometimes essential that its slice be computed and analyzed for any possible fault in 
an incremental fashion. As the execution of the system progresses and more and more events in the 
trace become available, the current slice is updated to reflect the newly generated events. In the 
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future, we plan to develop slicing algorithms that are incremental and more distributed in nature. 
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A Omitted Proofs 



Proof for Theorem |3J We have to prove that if b\ and 62 axe regular predicates then so is 61 A 62 . 
Consider consistent cuts C\ and C2 that satisfy b\ A 62- By semantics of conjunction, both C\ and 
C2 satisfy b\ as well as 62. Since 61 and 62 are regular predicates, CinC2 satisfies b\ and 62- Again, 
by semantics of conjunction, C\ n C2 satisfies 61 A 62- Likewise, C\ U C2 satisfies 61 A 62- Thus 
61 A 62 is a regular predicate. □ 



Proof of Theorem llOt (reg (b) is weaker than b) Follows from the definition. 

{reg is monotonic) Since reg (b 1 ) is weaker than b', it is also weaker than b. That is, reg (&') is 
a regular predicate weaker than b. By definition, reg (b) is the strongest regular predicate weaker 
than b. Therefore reg (b) is stronger than reg (b') or, in other words, reg (b) =>• reg (b 1 ). 

(reg is idempotent) Follows from the fact that reg (b) is a regular predicate and is weaker than 
reg(b). □ 



Proof for Lemma I2U1 It suffices to prove that if C is a consistent cut of 7ib(E), then C(Q) is a 
consistent cut of (E(Q),—>(Q))b- We prove the contrapositive. We have, 

C(Q) is not a consistent cut of (-E'(Q), — >(Q))& 
=>■ { definition of consistent cut } 

(3 e, f G E(Q) : there is a path from e to / in (E(Q),->(Q)) b : (/ G C(Q)) A (e C(Q)> 

{ using definition of i*&(e, Q)[i] where pj = proc(f) } 

(3 e, / G E(Q) : F 6 (e, Q)[i] / : (/ G C(Q)) A (e C(Q)> 
=4> { using definition of Kb(e)[i] } 

(3 e, f G £(Q) : tf 6 (e)[i] 4 / : (/ G C(Q)) A (e C(Q)) 

{ using definition of TCb(E) } 

(3 e, / G £(Q) : there is a path from e to / in TL b (E) : (/ G C(Q)) A (e C(Q)) 
=>- { / G C(Q) =► / G C and (e C(Q)) A (e G J5(Q)) =► e C } 

(3 e, / G E : there is a path from e to / in H b (E) : (/ G C) A (e G" C)} 
=^ { definition of consistent cut } 

C is not a consistent cut TC b (E) 

This establishes the lemma. □ 



Proof of Theorem 1251 The first two propositions are easy to verify. We only prove the last 
proposition. As for the last proposition, it can be verified that a regular predicate is controllable 
in a computation if and only if there exists a path from the initial to the final consistent cut in 
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the lattice (of consistent cuts) such that every consistent cut along the path satisfies the predicate 
|TG98j . Note that the path from the initial to the final consistent cut actually corresponds to 
a longest chain in the lattice of consistent cuts. For a lattice L, let height(L) denote the length 
of a longest chain in L. Therefore if b is controllable in (E,—>), then a longest chain in C{E) is 
contained in Cb{E) as well and vice versa. This implies that height (C(E)) ^ height(C&(^)). However, 
C b (E) C C(E) implying that height(C b (£)) < height(C(£)). Therefore we have: 

controllable: b = height(C(£)) = height(C 6 (£)) 

For a finite distributive lattice L, the length of its longest chain is equal to the number of its 
join-irreducible elements |DP90| . In other words, height(L) = JX{V). Also, as observed before in 
Section for a directed graph, the number of join-irreducible elements of the lattice generated by 
its set of consistent cuts — including trivial consistent cuts — is same as the number of its strongly 
connected components. As a result, height(C(£')) = JT{C(E)) = scc((S,— ►)) and height(C&(E)) = 
Jl(C b (E))=scc((E,^) b ). □ 
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B Computing the Slice for Monotonic Channel Predicate 



We present an optimal algorithm to compute the slice with respect to monotonic channel predicates 
such as: 

• /\ (at most kij messages in transit from process pi to process pj), and 
i,je[i..n] 

• f\ (at least ky messages in transit from process pi to process pj) 
i,je[l..n] 

We only provide the slicing algorithm for the first predicate here. The slicing algorithm for the 
second predicate is very similar and has been omitted. Let snd(i,j)(x) denote the send event on 
Pi corresponding to the send of the x th message to pj. Similarly, let rcv(i,j)(k) denote the receive 
event on pi corresponding to the receive of the x th message from pj. (Note that the x th message 
sent by pi to pj may be different from the x th message received by pj from pi because we do not 
assume that channels are FIFO.) 

Consider a computation {E, — >) and a monotonic channel predicate b of the form in the first 
example. As in the case of conjunctive predicate, we construct a graph TCb(E) with vertices as the 
events in E and the following edges: 

1. from an event, that is not a final event, to its successor, 

2. from a send event to the corresponding receive event, and 

3. from a receive event rcv(j,i)(x) to the send event snd{i,j)(x + k^), if it exists. 

As before, the first two types of edges ensure that the Lamport's happened-before relation 
|Lam78j is contained in V(TCb(E)). For an example, consider the computation shown in Figure fT^T a) 
and the monotonic channel predicate "at most one message is in transit in any channel" . Here, k±2 = 
&21 = 1. The corresponding graph constructed, as described above, is depicted in Figure IToT b^. We 
first establish that the graph contains a consistent cut of the computation only if the cut satisfies 
the channel predicate. 

Lemma 34 Every (non-trivial) consistent cut ofTCb(E) satisfies b. 

Proof: Consider a consistent cut C of 7ib(E) and processes pi and pj. Let snd(i,j)(x) be the send 
event corresponding to the last message sent by pi to pj such that snd(i, j)(x) G C. Since C is a 
consistent cut of TCb(E) and there is an edge from rcv(j, i)(x — kij) to snd(i, j)(x), rcv(j, i){x — kij) 
also belongs to C . This implies that there are at most kij messages in transit from pi to pj. □ 

We next show that the graph retains all consistent cuts of the computation that satisfy the 
channel predicate. 

Lemma 35 Every consistent cut of (£',—>) that satisfies b is a consistent cut ofTib(E). 
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srad(l,2)(2) 




rcv{2, 1)(1) 

(a) (b) 

Figure 15: (a) A computation, and (b) its slice with respect to the monotonia channel predicate 
"at most one message in transit in any channel" . 

Proof: Consider a consistent cut C of (E, — ►) that satisfies b. Assume, on the contrary, that C is 
not a consistent cut of 7if,(E). Thus there exist events e and / such that there is a path from e to 
/ in TCb(E), f belongs to C but e does not. Since C is a consistent cut of (E, — the edge from 
e to / could only of type (3). (The other two types of edges are present in (E, — ►) as well.) Let e 
be rcv{j,i)(x) and / be snd{i, j)(x + fcjj). Since C satisfies 6, rcv{j,i)(x) belongs to C. In other 
words, e belongs to C — a contradiction. □ 

From the previous two lemmas, it follows that: 

Theorem 36 7ib{E) is cut- equivalent to (E, — >)&. 

It is easy to see that the graph Hb(E) has 0(|i?|) vertices, 0(|i£|) edges (at most three edges 
per event assuming that an event that is not local either sends at most one message or receives at 
most one message but not both) and can be built in 0(|£J|) time. Thus the algorithm has 0(|£J|) 
overall time-complexity. 
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C Computing the Slice for Linear Predicate: Proof of Correctness 

Consider a computation (E, — ►) and a linear predicate b. First, we extend the definition of J b (e) for 
an event e and a regular predicate b to the case when 6 is a linear predicate. It can be easily verified 
that Jb(e) is uniquely defined for each event e even when b is a linear predicate. Now, consider the 
directed graph Qb{E) with vertices as events in E and an edge from an event e to an event / if 
and only if J&(e) C Jb(f). We establish that the directed graph Qb(E) is cut-equivalent to the slice 
(£?,—>)&. It suffices to prove that C{Qb{E)) is the smallest sublattice of C(E) that contains Cb{E). 
To that end, the following lemma comes in useful. The lemma basically states that, for each event 
e, Jfe(e) is the least consistent cut of Qb{E) that contains e. (Note that Jfe(e) C Jb(f) is equivalent 
to saying that there is an path from e to / in Qb{E).) 

Lemma 37 Given events e and f, e G J&(/) = J&(e) C Jb(f)- 

Proof: (=>) Assume that e G Jb(/). Let C = J 6 (e) n J&(/). Since e G Jb(e), e G C. Note that 
Jfi(e) and J&(/) are consistent cuts of (E, — >). Moreover, both of them satisfy b. Since b is a linear 
predicate, their conjunction, given by C, also satisfies b. This implies that C is a consistent cut of 
(E 1 , — >) which contains e and satisfies 6. However, Jt(e) is the feast such cut. Therefore J&(e) C C 
or Jft(e) C Jfi(e) fl Jb(f)- This implies that J&(e) = Jb(e) n Equivalently, J&(e) C J&(/). 

(<^=) Assume that J&(e) C J&(/). Since e G Jb(E), trivially, e G J&(/). □ 

Again, as before, let Jb{E) = { J&(e) | e G }. Using Lemma 1571 the following theorem can be 
proved in a similar fashion as Lemma ^] and Lemma IT51 

Theorem 38 C{Qb{E)) forms a distributive lattice under C. Further, the set of join-irreducible 
elements of C{Qb{E)) is given by Jb{E). 

The next lemma demonstrates that C{Qb{E)) contains at least Cb(E). 

Lemma 39 Every consistent cut in Cb(E) can be written as the join of some subset of elements in 
Jb(E). 

The proof of the above lemma is similar to the proof of Lemma El and therefore has been 
omitted. Observe that, for every event e, by definition, either J&(e) satisfies b or is same as E. In 
either case, J&(e) G Cb(E). Therefore we have, 

Observation 6 J b (E) C C b (E). 

Finally, the next theorem establishes that C{Qb{E)) is indeed the smallest sublattice of C{E) 
that contains all consistent cuts satisfying b. 

Theorem 40 Any sublattice of C(E) that contains Cb(E) also contains C{Qb{E)). 

Proof: Consider a sublattice T> of C(E) such that T> contains Cb(E). Also, consider a consistent 
cut C of C(Qb(E)). From Birkhoff's Representation Theorem and Theorem 1381 C can be expressed 



49 



as the join of some subset of elements in Jb{E). Since Jb{E) C Cb(E) and Cb(E) C V, Jb(E) C V. 
This implies that C can be written as the join of some subset of elements in T>. However, T> is a 
sublattice and thus closed under set union. Therefore C 6 T>. □ 

The directed graph Qb(E) has |_E7] vertices and can have as many as $72 ( | ^7 1 2 ) edges. However, by 
constructing Sb(E), the skeletal representation of (E, — instead of Qb{E), the number of edges 
and the time-complexity can be reduced to 0{n\E\) and 0(n 2 \E\), respectively. 
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